On Mon, 3 Apr 2017 16:17:45 +0000 "Fries, Steffen" <steffen.fr...@siemens.com> wrote:
> The reason I'm asking is that in industrial communication it is often > sufficient to have source authentication and message integrity while > probes on the network are still able to monitor the traffic for > certain properties or verify allowed exchanges. An example is ICCP > for inter control center communication. The two control center are > connected via an IPSec tunnel terminated in the DMZ. The desire is to > have the TLS tunnel end-to-end to allow for source authentication and > also for message integrity, while doing traffic inspection in the > DMZ. There exist other scenarios, with a similar requirement. Adding such a mode would add additional complexity that might lead to vulnerabiltiies, e.g. implementations that can be tricked into using a nonencrypted mode. It's been a trend in the tls working group to a) reduce complexity when possible. b) not try to accomodate obscure use cases that aren't relevant for the majority of TLS use cases. Thus I assume a null cipher won't find support here. If you want to have traffic inspection with TLS imho the right way is to support that at the end points (let alone any arguments why you're doing traffic inspection in the first place and whether those reasons are good ones). If you don't like that then TLS may be not the right protocol for your use case. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
