Re: Proposed Statement on "HTTPS everywhere for the IETF"

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 03 June 2015 15:40 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B68FC1A907D for <ietf@ietfa.amsl.com>; Wed, 3 Jun 2015 08:40:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6TVL0sYb2ClK for <ietf@ietfa.amsl.com>; Wed, 3 Jun 2015 08:40:10 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C4401A906C for <ietf@ietf.org>; Wed, 3 Jun 2015 08:40:10 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id E46C2BF07; Wed, 3 Jun 2015 16:40:08 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 178buvPO0J8L; Wed, 3 Jun 2015 16:40:08 +0100 (IST)
Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 89FEDBEFE; Wed, 3 Jun 2015 16:40:07 +0100 (IST)
Message-ID: <556F1FD7.8030707@cs.tcd.ie>
Date: Wed, 03 Jun 2015 16:40:07 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: "t.p." <daedulus@btconnect.com>, Jari Arkko <jari.arkko@piuha.net>
Subject: Re: Proposed Statement on "HTTPS everywhere for the IETF"
References: <20150601164359.29999.35343.idtracker@ietfa.amsl.com> <CAL02cgRPFooA5fVFwvdprb3wPD+Y55pD+7RWjkACDv7T_TBW5Q@mail.gmail.com> <556DE0EF.2040809@isi.edu> <CAL02cgSdSFOaDqz9+jAZ7KsoMXOa5u=ff_i=c3EQ-SG0-ZPG7A@mail.gmail.com> <556DFCF7.3020607@isi.edu> <CAL02cgSOWpV51mQUdmeFwJaDS1fDWfG5Du4tRGgVW8OtvR1z3Q@mail.gmail.com> <556E1F7C.7060602@isi.edu> <CAL02cgTDXkmUwVHWo2_jrj+Lj4AcxnMUj98V2L4wqLrB9Mf9cw@mail.gmail.com> <556E229F.4050807@isi.edu> <F3F507B8-65BA-465B-9C4B-97AE059D3652@piuha.net> <02a401d09dea$af46b860$4001a8c0@gateway.2wire.net>
In-Reply-To: <02a401d09dea$af46b860$4001a8c0@gateway.2wire.net>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/G5gSs-sf4kSJ-sOa_7-CiHIfF2c>
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jun 2015 15:40:12 -0000

Hiya,

On 03/06/15 11:47, t.p. wrote:
> ----- Original Message -----
> From: "Jari Arkko" <jari.arkko@piuha.net>
> To: "Joe Touch" <touch@isi.edu>
> Cc: "Richard Barnes" <rlb@ipv.sx>sx>; <ietf@ietf.org>
> Sent: Wednesday, June 03, 2015 4:55 AM
> 
> I am not sure the discussion about blocking is relevant. We will change
> defaults, but cleartext is still available.
> 
> <tp>
> 
> I note that the statement makes TLS 1.2 a MUST and earlier versions of
> TLS a SHOULD NOT.

The statement refers to BCP195, which is our very recent IETF
consensus document on generic use of TLS and which says the
above and a bit more about versions. [1] I can't see we would
want to ignore that output from the UTA working group here - if
that BCP really doesn't work for IETF content, then we would
presumably need get the WG to fix the BCP and not the statement;-)

> In practical terms, what levels of browser will we be required to have
> in order to be able to use TLS 1.2?

I'm not sure to be honest, but for me, up-to-date ff and chromium
(on Linux) are both fine, e.g. when accessing [1] I end up with
TLS1.2 with both of those.

Cheers,
S.

[1] https://tools.ietf.org/html/bcp195#section-3.1.1



> 
> Tom Petch
> 
> Jari
> 
>