On Tue, Mar 13, 2018 at 1:52 PM, Ted Lemon <mel...@fugue.com> wrote: > In addition, you are reducing compartmentalization with your keying > strategy—in order to make communications easily decryptable, you have to > have broadly-shared keys, and that reduces the amount of > compartmentalization that TLS can provide between disparate elements in your > networks. > > We have seen the result of poor compartmentalization on network security—the > most recent really egregious example being the Equifax, which would have > been a lot less bad if Equifax had employed the sort of basic > compartmentalization precautions that the NIST recommends. Reducing > compartmentalization inevitably makes it easier for an adversary to > infiltrate your network and exfiltrate private user data.
+1 And I wonder how come that after all hundreds of discussions the compartmentalization issue is not addressed properly in draft-fenter. Because simply stating that "typically, only select groups within an organization [are able to see decrypted traffic]" doesn't seem enough. (this is just a single example of an issue with that draft) | Artyom Gavrichenkov | gpg: 2deb 97b1 0a3c 151d b67f 1ee5 00e7 94bc 4d08 9191 | mailto: xima...@gmail.com | fb: ximaera | telegram: xima_era | skype: xima_era | tel. no: +7 916 515 49 58 _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
