scope:

The present document specifies a protocol to enable secure communication sessions between network endpoints and one or more enterprise networks or between data centre middleboxes using encryption, whilst enabling network operations. The present document specifies an implementation variant of Transport Layer Security (TLS) version 1.3, called "eTLS" [2].

The present document describes two eTLS architectures; one for the situation where the originating server is an eTLS server inside the enterprise; and one for the situation where the originating server is a TLS 1.3 server outside the enterprise. The Diffie-Hellman key exchange and visibility information for negotiating the eTLS protocol setup is specified.

The actions of the client on receiving the visibility information and structure of the policy included in the visibility information are not normatively defined; however, capabilities for an "eTLS aware client" are defined in annex B. The means by which eTLS endpoints share the Diffie-Hellman key with key consumers is specified, and examples are provided.

The present document describes a variant of eTLS in annex A, which is not fully MSP compliant and to be used in only essential cases, as visibility information is not supported.

The present document also includes the security guarantees made by eTLS, based on the security guarantees of TLS 1.3. Annex C details description of applicable MSP protocol profile requirements to eTLS, taken from the draft specification of ETSI TS 103 523-1 [i.1], such that this MSP Part may be a standalone document. A final mapping of MSP protocol profile requirements to eTLS is left to a future version of the present document.