I am willing to bet that his point was not at all that Enterprises could switch quickly, as you say in your response. We do not do ANYTHING quickly.
I believe his point was that because we do not move quickly, we need to prepare as much in advance as possible, and assure that the base protocols we know we will be using in the future, do not put us in the position of having to do things that are generally not possible, such as make significant application or protocol changes. And out of curiosity, what is the simpler protocol you are recommending? I say out of curiosity because switching to a whole different protocol is not likely to be feasible from any perspective for large enterprises and the complex, multi-tier protocols that are prevalent. From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Ted Lemon Sent: Sunday, October 22, 2017 5:18 PM To: Steve Fenter <steven.fente...@gmail.com> Cc: tls@ietf.org Subject: Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00 On Oct 22, 2017, at 4:48 PM, Steve Fenter <steven.fente...@gmail.com<mailto:steven.fente...@gmail.com>> wrote: The main problem with not addressing the TLS visibility issue now is that no one knows when a vulnerability will be discovered in TLS 1.2 that forces enterprises to upgrade to TLS 1.3. We've had guarantees that TLS 1.2 and the RSA key exchange are going to be fine for 5 to 10 years, but nobody knows that, particularly in today's security environment. Implicit in this assertion is the claim that these organizations could switch quickly to TLS 1.3, but in fact we know that it's been very difficult for them to make the switch from 1.1 to 1.2, and in many cases they haven't done it. So this isn't really at all persuasive. But even if it were persuasive, it still wouldn't be a good argument. TLS is a complicated protocol that does far more than is required for the use case we are talking about. It would be better to use a simpler protocol with a smaller attack surface. So why not get started on that now, instead of trying to weaken TLS 1.3? The information contained in this communication is highly confidential and is intended solely for the use of the individual(s) to whom this communication is directed. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information is prohibited. Please notify the sender, by electronic mail or telephone, of any unintended receipt and delete the original message without making any copies. Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are nonprofit corporations and independent licensees of the Blue Cross and Blue Shield Association.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
