On Tuesday, 27 September 2016 18:34:30 CEST BITS Security wrote: > Ilari - I understand yours (and others) view on this but there is no > technical reason why this couldn't be part of the standard. A potential > solution, like many cipher suite *choices* in past versions of TLS, would > be optional and up to both clients and servers to configure what they are > willing to support (or not support). You appear to be assuming everyone is > running off the same set of requirements (one-size-fits-all) and we are > here to tell you that isn't necessarily true.
if you're willing to forge One Ring to rule them all, using static server key shares in TLSv1.3 doesn't change anything in your ability to compromise security of all the connections in your network. It also doesn't require any changes to TLSv1.3 to work. Yes, it will require changes to MitM boxes and decryption software, but that's the case for any new protocol version, isn't it? > > - Andrew > > > > > -----Original Message----- > From: ilariliusva...@welho.com [mailto:ilariliusva...@welho.com] > Sent: Tuesday, September 27, 2016 2:24 PM > To: BITS Security <bitssecur...@fsroundtable.org> > Cc: Eric Rescorla <e...@rtfm.com>; tls@ietf.org > Subject: Re: [TLS] Industry Concerns about TLS 1.3 > > On Tue, Sep 27, 2016 at 06:07:28PM +0000, BITS Security wrote: > > Hi Eric--Thank you for the prompt. > > > > Our requirements are for the same capabilities we have today with TLS > > 1.2, namely to be able to take a trace anywhere in our enterprise and > > decrypt it out of band (assuming that we own the TLS server). This > > includes traces taken from physical taps, traces from span or mirror > > ports, traces from the virtual environment, and/or traces from agents > > on workstations. We need to be able to apply a key to sniffer > > devices, security and fraud monitoring tools, APM devices, and/or TLS > > decryption appliances. > > No changes to standards are going to happen to make that any easier. > Don't waste your time. > > > -Ilari > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
