I will pretty much repeat what I said below. Significant fundamental infrastructure changes, are very difficult for very large organizations to assimilate. Because of time and resource issues, large organizations would seek to avoid major, overhaul type changes, wherever possible. The larger the organization, the more ominous such challenges become. I am sure I am not telling you anything you do not already know. But, "Not making any changes" does not fall into this category. The fact that Enterprises are finally coming to the IETF table, should be sufficient to show the willingness to be involved, flexible, compromise and yes................. change as necessary. From the beginning, many Enterprises have waned nothing more than to have their use cases accepted as valid, by the IETF, and to collaborate with the IETF SMEs, on crafting optimal solutions. I guess I am personally still naïve enough to believe this can occur.
To keep using TLS1.2 has been proposed and discussed many times over the past year or so and is not acceptable for many reasons outlined in Steve Fenters draft. So I will refer to that, rather than add repetition to the list. But suffice to say it is well beyond PCI for most Enterprises. -----Original Message----- From: Ted Lemon [mailto:mel...@fugue.com] Sent: Tuesday, March 13, 2018 4:28 PM To: Ackermann, Michael <mackerm...@bcbsm.com> Cc: nalini elkins <nalini.elk...@e-dco.com>; <tls@ietf.org> <tls@ietf.org> Subject: Re: [TLS] TLS@IETF101 Agenda Posted On Mar 13, 2018, at 3:20 PM, Ackermann, Michael <mackerm...@bcbsm.com> wrote: > I think that most Enterprises are not espousing any conversations "how can we > avoid making any changes?" With respect, Michael, when I have conversed with you about this in the past, that is precisely what you have asked for. You do not want to have to change your operational methodology, and any change to TLS that forces you to change your operational methodology is unacceptable to you. I understand why that is, and I sympathize, but let's please be clear that this is your precise goal. > But we would seek to avoid unnecessary, wholesale, infrastructure > architectural changes. There's an easy way to do this, although as a sometime bank security geek I would strongly advise you to not do it: keep using TLS 1.2. Of course, you've also explained why that isn't acceptable to you—you are afraid that the payment card industry will eventually force you to use TLS 1.3, just as they have, rather ineffectively, tried to insist that you use TLS 1.2. Now why would they do that? The information contained in this communication is highly confidential and is intended solely for the use of the individual(s) to whom this communication is directed. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information is prohibited. Please notify the sender, by electronic mail or telephone, of any unintended receipt and delete the original message without making any copies. Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are nonprofit corporations and independent licensees of the Blue Cross and Blue Shield Association. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
