➢ I have been saying to anyone who will listen that the IETF needs a private
forum for enterprises, to enable them to come forward and discuss their real
requirements. Without this input the IETF is trying to architect and engineer
solutions without knowing the complete set of requirements, at least on the
enterprise side.
Sorry, no. We don’t work that way. Never have, and never will. Everything
must be done in public. That’s really just non-negotiable. Without that
input, then yes, the IETF protocols will “just” be for the public Internet.
I’m sure many will accept that.
➢ The only other option being presented to enterprises is that we continue
to run on a TLS spec that is nine years old, and then continue running it until
it is 14 to 19 years old. It makes no sense to me to put out a TLS 1.3
standard, but say that enterprises cannot upgrade to it.
Yes it makes sense, for two reasons. First, “enterprises,” as represented by
those who claim to need this visibility, haven’t even moved up to requiring TLS
1.2. It was because of enterprise push-back that PCI DSS was delayed, and that
was only TLS 1.1! Second, “enterprise” is a small part of the Internet.
So you need TLS 1.3, with this security-weakening feature, so that in case
someone finds a break in TLS 1.1, or TLS 1.2, you can rapidly upgrade to TLS
1.3. The phrase that comes to mind is “are you --- kidding me?”
Enterprise monitoring, as has been repeatedly said here, *does not have to
break.* Keep your architecture and have the server’s that you control within
your enterprise share all the keys with the logging system.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
