On 20/07/17 21:21, Carl Mehner wrote:
> On Thu, Jul 20, 2017 at 10:38 AM, Simon Friedberger
> <simon....@a-oben.org> wrote:
> I think using TLS 1.2 and waiting will only work up to a point. When
> the regulators do require TLS 1.3 (and that may be years and years
> away), enterprises still need somewhere to go in order to use things
> like IDS and IPS, to look into where application issues are happening,
> and all the other reasons that are laid out for needing this draft.
I agree up to the last point. As you say later there are alternatives
and of course vendors of IDS solutions are not going to implement any of
the potentially more complicated solutions if they don't have to. But it
is entirely possible.
> What's unclear is: Are these organizations willing to take their
> current networking and application designs and begin to slowly rework
> it to support a TLS 1.3-only (real-ephemeral-keys-only) style
> architecture by the time it is required?
For business reasons they essentially must they that they wont but
should TLS 1.3 be accepted as-is they will either do it or be replaced
by more competitive businesses.
> I can say from my enterprise perspective, enterprises have been
> working toward that goal since it was announced that RSA key exchange
> was going away several years ago. We're working with software vendors
> to get the logs that we need from endpoints, making sure that IDS/IPS
> vendors that currently break open streams of TLS cipher text using RSA
> keys are able to switch over to doing TLS termination (with good
> configurations), or use load balancers that can terminate TLS and loop
> it up into an IDS/IPS/WAF before sending the plaintext stream off into
> a new encrypted direction.
>
> It's not an overnight change, but it is a practical one, and one that
> could end up making these complicated applications that "need"
> static-key-style decryption work more effectively and efficiently.
Yes!

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Reply via email to