To suggest that I or my industry does not take security seriously, is inaccurate and immaterial to this discussion.
I would put the comment that anyone or any industry is attempting to lay costs for anything off on IETF, in the same unfortunate bucket. These types of subjectively negative statements are not at all constructive, germane nor worthy of response. From: Ted Lemon [mailto:mel...@fugue.com] Sent: Monday, October 23, 2017 1:45 PM To: Ackermann, Michael <mackerm...@bcbsm.com> Cc: Salz, Rich <rs...@akamai.com>; tls@ietf.org Subject: Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00 On Oct 23, 2017, at 1:30 PM, Ackermann, Michael <mackerm...@bcbsm.com<mailto:mackerm...@bcbsm.com>> wrote: The WHY you ask is in the answer. It is a huge proposition requiring change to virtually every platform and application. Not to mention all the management, monitoring and security platforms. It would be very expensive and time consuming. And when they ask why this is necessary, it is because the new version of the existing protocol is not backwards compatible, which is something we have come to expect. I really tried to have sympathy for you about this in Prague. I know what it's like to get unreasonable pushes from management (not based on recent experience, fortunately). But this exact form of reasoning is why we're suffering from attacks on the internet like the Mirai botnet and the Reaper botnet, the Equifax hack, et cetera. You have come to a group of people who take these issues extremely seriously and asked them to bless you in going forward to create another problem of the same magnitude. I know you don't think that's what you're asking, but that really is what you are asking. It might not be on your network—maybe you will operate this technology securely. But you are asking us to create an attack surface, and it will be used. When you make requests like this, what you are really doing is pushing off costs your management doesn't want to pay on the users of the Internet as a whole. 130 million Americans are now doomed for life to suffer from attacks on their credit because of this kind of thinking. Stop asking us to take security less seriously, and start taking it more seriously. You work for BCBS: you are responsible for protecting the privacy of a similar number of Americans. I know this is hard, but it's time to stop imagining that you can lay costs off on us and start planning how you are going to migrate to a more secure architecture. The information contained in this communication is highly confidential and is intended solely for the use of the individual(s) to whom this communication is directed. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information is prohibited. Please notify the sender, by electronic mail or telephone, of any unintended receipt and delete the original message without making any copies. Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are nonprofit corporations and independent licensees of the Blue Cross and Blue Shield Association.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
