Hi Stephen, Adding to Flemming’s comment, finding “exact quotes” will be difficult as their intent is really not to break things but rather want to ensure that inspection and oversight is available to affect guards/protections within an (enterprise/data center) infrastructure. That said, PCI and other regulations will have a lot of documents that one has to go through….one that kind-of calls explicitly to the use of packet inspection, firewalling and such is in:
https://www.pcisecuritystandards.org/documents/SAQ_D_v3_Merchant.pdf It is an assessment questionnaire for vendors to evaluate their compliance, the requirements speak to securing the network and systems including firewalls, DMZs and the ability to do packet inspection. Thanks, Nancy On 11/7/17, 3:27 PM, "Flemming Andreasen (fandreas)" <fandr...@cisco.com> wrote: Thanks for taking an initial look at the document Stephen - please see below for responses so far On 11/7/17 4:13 AM, Stephen Farrell wrote: > Hiya, > > On 07/11/17 02:48, Flemming Andreasen wrote: >> We didn't draw any particular line, but the use case scenarios that we >> tried to highlight are those related to overall security and regulatory >> requirements (including public sector) > I had a quick look at the draft (will try read properly en-route to > ietf-100) and I followed the reference to [1] but that only lead to a > forest of documents in which I didn't find any reference to breaking > TLS so far at least. Can you provide an explicit pointer to the > exact document on which that claim is based? For NERC, you can look under "(CIP) Critital Infrastructure Protection". CIP-005-5 for example covers the electronic security perimeter, which has a couple of relevant requirements and associated text: http://www.nerc.com/_layouts/PrintStandard.aspx?standardnumber=CIP-005-5&title=Cyber%20Security%20-%20Electronic%20Security%20Perimeter(s)&jurisdiction=United%20States To be clear though, the document does not specifically call out breaking TLS, but it does clearly call out the need to detect malicious inbound and outbound communications by leveraging an "Electronic Access Point" (e.g. IDS/IPS) to enforce the Electronic Security Perimeter. > I'd also claim that your reference to PCI-DSS is misleading, as that > same spec also explicitly calls for there to be good key management > specifically including minimising the number of copies of keys, so > at most, one might be able to claim that PCI-DSS is ok with people > who break TLS in a nod-and-a-wink manner. But if you do have a real > quote from PCI-DSS that calls for breaking TLS then please do also > send that (it's been asked for a bunch of times without any answer > being provided so far). I will need to look more closely for such a quote - if anybody else knows of one, please chime in as well. Thanks -- Flemming > Thanks, > S. > > > [1] > https://tools.ietf.org/html/draft-camwinget-tls-use-cases-00.html#ref-NERCCIP > _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
