Thanks for taking an initial look at the document Stephen - please see
below for responses so far
On 11/7/17 4:13 AM, Stephen Farrell wrote:
Hiya,
On 07/11/17 02:48, Flemming Andreasen wrote:
We didn't draw any particular line, but the use case scenarios that we
tried to highlight are those related to overall security and regulatory
requirements (including public sector)
I had a quick look at the draft (will try read properly en-route to
ietf-100) and I followed the reference to [1] but that only lead to a
forest of documents in which I didn't find any reference to breaking
TLS so far at least. Can you provide an explicit pointer to the
exact document on which that claim is based?
For NERC, you can look underĀ "(CIP) Critital Infrastructure
Protection". CIP-005-5 for example covers the electronic security
perimeter, which has a couple of relevant requirements and associated text:
http://www.nerc.com/_layouts/PrintStandard.aspx?standardnumber=CIP-005-5&title=Cyber%20Security%20-%20Electronic%20Security%20Perimeter(s)&jurisdiction=United%20States
To be clear though, the document does not specifically call out breaking
TLS, but it does clearly call out the need to detect malicious inbound
and outbound communications by leveraging an "Electronic Access Point"
(e.g. IDS/IPS) to enforce the Electronic Security Perimeter.
I'd also claim that your reference to PCI-DSS is misleading, as that
same spec also explicitly calls for there to be good key management
specifically including minimising the number of copies of keys, so
at most, one might be able to claim that PCI-DSS is ok with people
who break TLS in a nod-and-a-wink manner. But if you do have a real
quote from PCI-DSS that calls for breaking TLS then please do also
send that (it's been asked for a bunch of times without any answer
being provided so far).
I will need to look more closely for such a quote - if anybody else
knows of one, please chime in as well.
Thanks
-- Flemming
Thanks,
S.
[1]
https://tools.ietf.org/html/draft-camwinget-tls-use-cases-00.html#ref-NERCCIP
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
