• eTLS was created by industry, for industry

Sophia Antipolis, 5 November 2018: ETSI Technical Committee CYBER has recently released a Middlebox Security Protocol specification, Profile For Enterprise Network and Data Centre Access Control , TS 103 523-3, known as Enterprise TLS or “eTLS”.

This specification was driven by, and fulfils, an industry need to perform vital data centre operations – whilst supporting a recently standardized version of TLS (1.3). Such required operations include compliance, troubleshooting, detection of attacks (such as malware activity, data exfiltration, DDoS incidents), and more, on encrypted networks – functions which are enabled in the presence of TLS 1.3 by eTLS.

eTLS allows data centre and enterprise network operators to meet their service agreements and legal mandates; eTLS protects users from being forced to revert to older, less secure protocols; and eTLS allows data centre operators and users visibility over who has access to their data.

eTLS, defined in TS 103 523-3, specifies an implementation variant of TLS 1.3. This variant is needed because TLS 1.3 removes support for certain key exchange methods, which prevents passive decryption of TLS 1.3 sessions at any scale. However, there are operational circumstances where passive decryption of sessions is necessary. Such situations generally occur where both the parties in a connection, and by inference the data being exchanged, are under the control of the same entity. eTLS uses a key exchange message that supports these use cases and provides visibility information to the end user using the connection’s certificate.

ETSI creates standards that are driven by industry need. ETSI previously published a Technical Report, ETSI TR 103 421, that recommended providing a series of standards-based solutions to the evolving needs of industry, networks and middleboxes. Part 3 is the first published part of these recommended standards.