As I understand it (poorly!) the idea is exactly to have a single system on the network that monitors all traffic in cleartext. It's fundamentally impossible to prevent someone from copying all their traffic to another system in cleartext. If they're going to do it, they will. The functionality is exactly the same as what could be achieved by installing monitoring software on each endpoint, but the logistics are different since the monitoring is centralized.
The debate seems to be around: whether it should be standardized, and whether the other endpoint (outside the monitored network) should know about it. On Tue, Mar 20, 2018 at 4:18 AM, Dan Brown <danibr...@blackberry.com> wrote: > Dear TLS WG, > > Enterprise "visibility" is a network issue, not an Internet issue, and > thus, to my _limited_ understanding, should be out of scope of IETF. > > Nonetheless, enterprise security is important, and enterprise networks use > Internet technology internally, so the topic is perhaps still procedurally > discussable, so I continue. I (naively) worry that "visibility" is also > "siphonability", creating an incentive for a Snowden-sized (but malicious) > leak, which could hurt enterprises and their customers. In other words: > who watches the watchers; avoid a single point of weakness; prevent social > engineering opportunities; decentralize power; make sure the cure is not > worse than the ailment; etc. It is not yet clear (to me) which attackers > "visibility" would thwart, but if it is just naïve (but plentiful) > insiders, then I imagine the optimal solution would be better endpoint > management (which may be a more difficult road than "visibility", but > should still be the long-term solution). > > Best regards, > > Dan > > PS: I never directly worked on enterprise security (usually, I just think > about the math of basic crypto primitives), but I don't recall hearing > about such a "visibility" feature in the enterprise security work of > colleagues (whom I do _not_ speak for), e.g. one system used forward-secure > ECMQV to establish a connection between smartphones and the enterprise > network. > > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
