[DNSOP] Re: [EXTERNAL] New Version Notification for draft-tjjk-cared-00.txt
Paul Vixie <paul@redbarn.org> Tue, 23 July 2024 20:02 UTC
Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B37CC1CAE79 for <dnsop@ietfa.amsl.com>; Tue, 23 Jul 2024 13:02:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redbarn.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a_awNfa-zXuH for <dnsop@ietfa.amsl.com>; Tue, 23 Jul 2024 13:02:00 -0700 (PDT)
Received: from util.redbarn.org (util.redbarn.org [IPv6:2001:559:8000:cd::222]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4164EC17C8B6 for <dnsop@ietf.org>; Tue, 23 Jul 2024 13:01:55 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "*.redbarn.org", Issuer "RapidSSL TLS RSA CA G1" (not verified)) by util.redbarn.org (Postfix) with ESMTPS id 57AE9160E14; Tue, 23 Jul 2024 20:01:54 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=redbarn.org; s=util; t=1721764914; bh=yYc+RYXVIuWVQn/BdMw/z4gn6U9ZlEkfjyHzaHUH4Bk=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=XNuBxYSXIvYOgDM/Wo0V2XZ9e7jl32PK0uuBmXdmVVZOJhoC11j6jquf9fYPBD+P6 xWamOhmLrndmcihErQrEVQmtj+B6XsOiOIFeSpIHb67kh8YAMWmCPgrTIxOt3agjhK QzlWtAAb4EtQNCJEmo2bmZkLYaq3gj5JT4HhQeFg=
Received: from heater.srcl.tisf.net (heater.srcl.tisf.net [IPv6:2001:559:8000:cc::111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPS id 2F956C3F2E; Tue, 23 Jul 2024 20:01:54 +0000 (UTC)
From: Paul Vixie <paul@redbarn.org>
To: Paul Wouters <paul@nohats.ca>
Date: Tue, 23 Jul 2024 13:01:54 -0700
Message-ID: <2334040.7YbXXFKy9f@heater.srcl.tisf.net>
In-Reply-To: <4FF4AA72-5E91-4980-A4B4-80E59F64B76C@nohats.ca>
References: <3321551.kGzlxMrEDr@heater.srcl.tisf.net> <4FF4AA72-5E91-4980-A4B4-80E59F64B76C@nohats.ca>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
Message-ID-Hash: BSU6DPGDO5X335S4PYZ4KFQHV5GUQ3U4
X-Message-ID-Hash: BSU6DPGDO5X335S4PYZ4KFQHV5GUQ3U4
X-MailFrom: paul@redbarn.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Tommy Jensen <Jensen.Thomas@microsoft.com>, Ben Schwartz <bemasc@meta.com>, dnsop <dnsop@ietf.org>, "Damick, Jeffrey" <jdamick@amazon.com>, "Engskow, Matt" <mengskow@amazon.com>, Jessica Krynitsky <Jess.Krynitsky@microsoft.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [EXTERNAL] New Version Notification for draft-tjjk-cared-00.txt
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/UkV8JXiKMGBCT2RSB-KhKvpgaMU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
-- P Vixie On Tuesday, July 23, 2024 12:52:28 PM PDT Paul Wouters wrote: > On Jul 23, 2024, at 12:09, Paul Vixie <paul=40redbarn.org@dmarc.ietf.org> wrote: > > Making TLS 1.2 available as a fallback is vital. Many secure private edge > > networks will never allow TLS 1.3 because of ECH. > > You can do TLS 1.3 without ECH ? if an endpoint wants TLS 1.3 with ECH, there's no way to negotiate them down to TLS 1.3 without ECH. there is a way to negotiate them down to TLS 1.2. > Making a weaker version of TLS mandatory would be unwise, unless it’s to > give more time for migration away from it. migration for military, government, and many corporate networks can't happen. for reasons of law, regulation, or policy, they must see the client hello before they can decide whether to block the flow. "just secure your devices" can't work due to the way the supply chain works. the only alternative will be to block outbound entirely and force all traffic through a non-intercepting proxy. ietf knew this, but RFC 8890 forbade us to consider it. i was a dissenter. the fact that you refer to TLS 1.2 as "weaker" may indicate a preference that we mandate a technology that often _cannot_ be used even those the alternative ("effective mandate") will be a technology (explicit proxy) which is in fact weaker than TLS 1.2. we should not argue from talking points. don't put it in terms of migration. just recommend that fallback be allowed. 50 years from now, smarter people than us can think of a better way forward. as things are today, secure private edge networks including military, government, and many commercial networks, will not allow TLS 1.3 to be used. paul
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Tommy Jensen
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Erik Nygren
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Ben Schwartz
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Tommy Jensen
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Jessica Krynitsky
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Paul Vixie
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Paul Wouters
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Paul Vixie
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Ben Schwartz
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Jessica Krynitsky
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Paul Vixie
- [DNSOP] Re: [EXTERNAL] New Version Notification f… tirumal reddy
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Ben Schwartz
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Paul Vixie
- [DNSOP] Re: [EXTERNAL] New Version Notification f… tirumal reddy
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Ben Schwartz