> On 22 Oct 2017, at 21:40, Ted Lemon <mel...@fugue.com> wrote: > > On Oct 22, 2017, at 1:54 PM, Russ Housley <hous...@vigilsec.com > <mailto:hous...@vigilsec.com>> wrote: >> No one is requiring TLS 1.3 that I know about. However, there are places >> that require visibility into TLS. I will let one of the people that works >> in a regulated industry offer pointers to the documents. > > What they require is visibility into contents of the flow that they are using > encryption to protect. Right now, the protocol they are using is TLS 1.1 or > TLS 1.2. The right thing for them to do if they continue to need this > visibility and are no longer permitted to use TLS 1.2 is to use IPsec+IKE,
Right, and shamelessly plugging my working group, I2NSF has recently adopted a draft ([1]) that is aimed at enabling and automating the deployment of IKE/IPsec in the datacenter. > or some protocol that is designed for this use case, not to take a protocol > designed specifically for securing flows from on-path eavesdropping and > create a mode where it is easier to wiretap. > > There is no reason other than momentum for them to switch to TLS 1.3 when it > doesn't address their use case. [1] https://tools.ietf.org/html/draft-abad-i2nsf-sdn-ipsec-flow-protection-03
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
