Re: [Iotops] [arch-d] How old is too old and what this means for product lifecycles? Re: [Last-Call] [TLS] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice

Sávyo Vinícius <> Mon, 07 December 2020 16:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 301703A12E7 for <>; Mon, 7 Dec 2020 08:43:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id yTq31S0VliTa for <>; Mon, 7 Dec 2020 08:43:51 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::529]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EDC5A3A146B for <>; Mon, 7 Dec 2020 08:43:50 -0800 (PST)
Received: by with SMTP id cm17so14447590edb.4 for <>; Mon, 07 Dec 2020 08:43:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Xp6fVrKPalQphE4abU7DWfbY+FeqHSd6/tNq/UNw1ic=; b=g6N3tepOJ9IdSR8DR6L312bcz/CqyKa1EggQnQekJ1UXAUlPQ4t29vqmTMZCRuMPO8 pF/pX6HmmT39hzI3JH3bpHf5hIbRdkUfXLbnxWfxPiF1r4W5xL3a1vppUd+ZS0DIUJx9 Bx66aP6qg0pumkhPK6c8NMzpAob9KZNUSih/ChZd0G5xXossWT0WgFsVZA+2X3BSF5Ih fiu4Su0AhMRrzFaujuIpLOgf+wu+Xtez2L+swO4kDFHnUqKz+dx56Lc5Cb8tokTfM8L4 WRwomYohCGZgZJWGLFljfawwmuzo3PKbfkE0MTdjhKz0mu/Kk79lT6HnhRGtwBGbRgra McUQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Xp6fVrKPalQphE4abU7DWfbY+FeqHSd6/tNq/UNw1ic=; b=J0IzVhodueBV9aBSVpHhGFwZvHDNnbPW28IlaH9sMeB5iUaCqaol9RFXYWe0PTRSHA 6jAiLUi7kw9MFv0FTXrS9DEM20mft0H7qpBD8Y7V/B+VkqUhhT9Z1C4yYUDFUFzlJCqM iF9zG6bO8UfCbWjRJJZXNj1ijltvqIF46Ijo2jopLLL8x5uIP6ttfrh+HAmCBf9XS6PG 7h+8jesk9zZgR1vNEebhMKHX/bJ5la0YcaVBsXVUTEglkdij8A4Se4kna25/Ooco6j8A LV7MZwQAc0ls5yCDv6Z6AY+NHrUZMsYU9RZ1ZjDX1IAgv4/cYxMU043jIZzExjCHcoFd IkZg==
X-Gm-Message-State: AOAM531QthVXQlZTtUZeCs2mUE3iD/YYTwzEs5CvuPzUbLrE7JK3nXLL uuV1eEnhwvCfs1BDc6mYwtuusKg+TLLcH53jtEU=
X-Google-Smtp-Source: ABdhPJxNH+X+pxy8ofJcryFo59eO+xmVZP26gyODPf/4oX+PAoOmCrM2kFM95qXRiwxIqKe2Zr3LzK/MqXUK31w8HhI=
X-Received: by 2002:aa7:c3cf:: with SMTP id l15mr10960081edr.282.1607359429107; Mon, 07 Dec 2020 08:43:49 -0800 (PST)
MIME-Version: 1.0
References: <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
From: Sávyo Vinícius <>
Date: Mon, 07 Dec 2020 13:43:37 -0300
Message-ID: <>
To: Henning Schulzrinne <>
Cc: Toerless Eckert <>,, Ted Lemon <>,, Amyas Phillips <>, Randy Bush <>, "Ackermann, Michael" <>
Content-Type: multipart/alternative; boundary="000000000000cc646605b5e2873c"
Archived-At: <>
Subject: Re: [Iotops] [arch-d] How old is too old and what this means for product lifecycles? Re: [Last-Call] [TLS] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 07 Dec 2020 16:43:56 -0000

Another point we need to pay attention to is the situation of the SMEs
running in the local market of in-development-countries.
These companies are in a vulnerable position and can, after just launching
a device, close due to bankruptcy, shortening the device update life cycle.
People who just bought the device will not just discard the expensive
device, even knowing about the risks -- when the most probable is they
never know about them.

I really believe in the efficacy of an open source-based approach, but
there is a long way to develop a consistent framework (including community,
regulation, best practices, and other relevant stuff) to do it.
Still in this context, regulatory approaches need much attention because
they can be restrictive to those companies, and contribute to more

Another approach that can be taken is by creating a kind of contractual
best practices (maybe informational RFCs?) for advising different sectors
on what kind of terms they need to care about when building or buying
solutions. But this brings the challenge of how to make this information
reach the intended targets that are out of the IETF scope.

Em seg., 7 de dez. de 2020 às 11:43, Henning Schulzrinne <> escreveu:

> It used to be that vendors announced end-of-life for products years after
> introduction. For example, there was no way for a purchaser of Windows NT
> to know, at purchase time, how long Microsoft was intending to support the
> operating system. Now, better vendors seem to have started to make some
> commitments, e.g., "this Android phone will receive new versions of the OS
> for three releases and security updates until 2025". All the major Linux
> distributions now have some kind of an LTS version, with long-term
> stability and security/bug upgrades planned. There have been proposals (in
> the UK?) of making vendors of IoT equipment state their support commitment,
> so that a purchaser can choose "cheap" or "lasts a lifetime".
> Unfortunately, industry advocacy is often for minimal regulation - there's
> an opportunity here for ISOC and others to make a difference.
> One reason for not upgrading: OS dependencies. Apple Big Sur (and
> Catalina) broke a lot of printer drivers, so I had a choice: Upgrade my OS
> or keep my printer working. Dell, the distributor of the printers (made by
> Fuji-Xerox, apparently) simply states that "due to circumstances beyond
> their control", they won't be providing any Catalina/Big Sur printer
> drivers.
> Given that most commercial systems are now assembled out of open-source
> components, with customization or glue on top, you'd want some kind of
> automated component checker. "17 of your components have not committed to
> long-term support. Are you prepared to fix them yourselves?"
> I don't know if this is feasible in all cases, but I suspect we often know
> that certain technologies are getting long in the tooth. They are not quite
> obsolete (historic) yet, but there's no active development or community and
> they probably shouldn't be components that can't be replaced in the field.
> No need (or resources) to do this for every RFC, but identifying critical
> pieces of technology and providing a support roadmap would be helpful, I
> think.
> On Mon, Dec 7, 2020 at 4:19 AM Toerless Eckert <> wrote:
>> Great pportunity for a rant:
>> Its easy to understand how the mayority of participants in these
>> discussions are
>> from either a commercial supplier side, or from a commercial user side.
>> In either
>> case, a clearly time restricted use case scenario is easily be most
>> important default.
>> This btw. also applies to where my pay check comes from (i think).
>> Nevertheless, i would highly recommend to no limit our design decisions
>> to this
>> scenarios.
>> Personally, i for once would be happy as an individual to see any
>> standards be
>> blackmailed in the press and in public as an evil conspiracy for planned
>> obsolescence
>> that does not consider the ability for devices to operate as long as
>> their hardware can
>> without being constrained by 'security' software.
>> Obviously, there are also significant commercial applications
>> undetermined long
>> life cycles are required. Just think of any deep space exploration NASA
>> satellites
>> go dark because of their non-crypto agility. Or the non-desire to upgrade
>> nuclear
>> missile control systems to new HW/SW because overall system security
>> analysis
>> shows how new HW/SW more likely than not will be MORE susceptible to
>> attacks than
>> simpler older SW/HW around for 50 years. Just two extreme examples.
>> I am not 10% sure about generic approaches to solve this problem, but one
>> approach
>> could be the following:
>> - A device communications is designed to be able to operate solely within
>> a
>>   "walled garden" environment. Not as the ONLY option, but as one option.
>> - Walled garden means that all communication channels of the device can
>> be directed
>>   to go through other nodes of the "walled garden".
>> - "Walled garden" should IMHO also mean that the higher layer semantic of
>>   all communications is well enough defined/documented, so that another
>> device
>>   in the walled-garden can be set up to convert/proxy the communications.
>> - Aka: If the crypto starts to become obsolete, then the obsolete crypto
>> would
>>   be possible to constrain to the walled-carden (physical security)
>> environment,
>>   and be proxied, and if the original remote communication parties do not
>> exist
>>   anymore, but the data to be exchanged exists, then such a proxy could
>> also
>>   proxy/convert the data into the 'legacy' format.
>> The ability to understand all the information communicated well enough to
>> be able
>> to re-recreate the format is also necessary for any type of higher-layer
>> security
>> filtering, so this type of communications design is not only good for
>> longevity,
>> but also for security beyond transit confidentiality.
>> Cheers
>>     Toerless
>> On Sat, Dec 05, 2020 at 09:11:04PM +0000, Amyas Phillips wrote:
>> >
>> > > On 5 Dec 2020, at 18:10, Randy Bush <> wrote:
>> > >
>> > > to improve the math one would have to amortize the cost of maintenance
>> > > over many many flavors and makers of thingies.  so the acme thingie
>> mfr,
>> > > and the hackme thingie mfr, and the ... need to have a common code
>> base
>> > > and upgrade infrastructure.
>> >
>> >
>> > Exactly right, it???s hard to imagine any other economically viable way
>> of maintaining devices which aren???t sold with a service contract. Even
>> for devices which are sold with a service contract, this is still a cheaper
>> and likely better way of delivering the security maintenance part of that
>> service.
>> >
>> > There???s a few commercial products which do this. They essentially
>> offer modules with an OS and application environment which they maintain
>> for you, to a more or less hands-off degree: msoft Sphere, Balena,
>> Particle, Electric Imp, Ubuntu Core. They don???t maintain your application
>> but that may well be a relatively small part of the attack surface, and
>> possibly defended by features of the maintained environment.
>> >
>> > Microsoft Sphere in particular is interesting because the maintenance
>> is completely hands off and the costs are folded into the initial BOM cost
>> of the module, there???s no service fee.
>> >
>> > Amyas
>> > --
>> > Iotops mailing list
>> >
>> >
>> --
>> ---
>> _______________________________________________
>> Architecture-discuss mailing list
> --
> Iotops mailing list