Am 04.04.2018 um 14:43 schrieb Hubert Kario:
On Friday, 30 March 2018 11:42:23 CEST Vakul Garg wrote:
Hi Martin
-----Original Message-----
From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Martin Rex
Sent: Thursday, March 29, 2018 4:47 AM
To: Steve Fenter <steven.fente...@gmail.com>
Cc: tls@ietf.org
Subject: Re: [TLS] Breaking into TLS for enterprise "visibility" (don't do
it)>
Steve Fenter <steven.fente...@gmail.com> wrote:
To clarify for anyone who has confusion on the enterprise TLS
visibility use case, I think enterprises need to be able to do
out-of-band decryption anywhere in the network that they own.
This is argument is so lame.
In Germany, monitoring communications between individuals or between
individuals and legal entities, including communications over corporate
networks, was made a serious crime in 2004 (TKG 2004) with a penalty of up
to 5 years in prison for listening into such communication.
The world didn't end. Really, consider it proven that there is no need.
Could monitoring could be legally done if user provided his consent at the
time of login into enterprise managed terminal?
I guess that's the case in enterprise managed networks.
No, even then the employer needs to establish a concrete case for inspection
of the communications of an employee.
Employer also must not continue inspection of an email as soon as it has
noticed that it is part of a private message.
https://www.lexology.com/library/detail.aspx?g=f946064a-05d0-4603-ace9-3846b1c7536d
and this is true, to a large degree, for the whole of EU:
https://www.theguardian.com/law/2017/sep/05/romanian-chat-messages-read-by-employer-had-privacy-breached-court-rules
From the ECHR ruling:
"An employer[...] cannot reduce private social life in the workplace to zero.
Respect for private life and for the privacy of correspondence continues to
exist, even if these may be restricted in so far as necessary."
This is true, but at the same time the employer is required in many
countries including Germany to archive many emails and other relevant
messages. See for example https://en.wikipedia.org/wiki/Email_archiving
or https://www.intradyn.com/email-retention-laws/. This is often in
conflict with the above mentioned laws, for an example see
https://www.theguardian.com/business/2016/jan/08/volkswagen-withhold-emissions-documents-investigations.
I don't think breaking TLS is the way to fulfill such requirements but I
also think TLS connection to a company shouldn't end up at a third party
providing hosting or CDN services.
Regards,
Roland
There may be _desires_. For me, those desires are no less unethical as
data collections by apple, camebridge analytica, facebook, google,
microsoft, whathaveyou...
.... and fortunately, for corporations in germany, such data gathering is
not just unethical, but truely criminal by law.
-Martin
_______________________________________________
TLS mailing list
TLS@ietf.org
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fww
w.ietf.org%2Fmailman%2Flistinfo%2Ftls&data=02%7C01%7Cvakul.garg%40n
xp.com%7C17aacd25ee5c49568aca08d595021677%7C686ea1d3bc2b4c6fa9
2cd99c5c301635%7C0%7C0%7C636578758559728633&sdata=sa3hcM4C94
%2BX826Xcu4BwvfkIFzfJiB8cjPjOh7s8pI%3D&reserved=0
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
