+1 From: Yoav Nir [mailto:ynir.i...@gmail.com] Sent: Saturday, July 8, 2017 8:36 AM To: Timothy Jackson <tjack...@mobileiron.com> Cc: Ackermann, Michael <mackerm...@bcbsm.com>; Watson Ladd <watsonbl...@gmail.com>; Christian Huitema <huit...@huitema.net>; tls@ietf.org Subject: Re: [TLS] draft-green-tls-static-dh-in-tls13-01
On 8 Jul 2017, at 6:18, Timothy Jackson <tjack...@mobileiron.com<mailto:tjack...@mobileiron.com>> wrote: As an earlier poster asked, what advantage does this approach have over TLS-inspecting proxies? Every IPS/IDS/next gen firewall with which I am familiar is able to terminate at TLS connection, inspect/copy/filter, and then encrypt on a new TLS sessions. For high performance customers, the SSL accelerators can be sandwiched around the filter so all the crypto is done in hardware. The ways to prevent TLS inspection are cert pinning and client cert auth. If this is only within one's data center, then those features can be disabled if necessary, no? What use case am I missing that can't be achieved better by other means than static keys? They would like to store traffic captures encrypted and be able to decrypt them a little later if that is necessary. Storing plaintext is something that auditors (rightfully!) don't like. They also don't want to install TLS proxies all over the place. That's a large extra expense for them. Yoav The information contained in this communication is highly confidential and is intended solely for the use of the individual(s) to whom this communication is directed. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information is prohibited. Please notify the sender, by electronic mail or telephone, of any unintended receipt and delete the original message without making any copies. Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are nonprofit corporations and independent licensees of the Blue Cross and Blue Shield Association.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
