Re: [Iotops] How old is too old and what this means for product lifecycles? Re: [Last-Call] [TLS] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice

Eliot Lear <> Sun, 06 December 2020 12:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7DD1A3A0D14 for <>; Sun, 6 Dec 2020 04:32:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.601
X-Spam-Status: No, score=-9.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id A4RazlEx43Oa for <>; Sun, 6 Dec 2020 04:32:40 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2CBAD3A0D17 for <>; Sun, 6 Dec 2020 04:32:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=2312; q=dns/txt; s=iport; t=1607257960; x=1608467560; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=TI/aMTFdV4qj8DMbP5tpgFR7In/THeT89w23sLhNGrI=; b=H7H3hdOn0kdoJmRCFHPE5Szi6WVVE/oLULGeXxGTy7o2Mtmln/zgb/Co TLnyrPjZXDp5FafJRXlRO+tA8t4H+5d/tqcle8/2cYCAWQDMdXXlnXh/S vUfzP469793zK8EM2KomJteIWv1C1QOzKTh0gtpO33CE9rIwM36pOG/Lv o=;
X-Files: signature.asc : 488
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.78,397,1599523200"; d="asc'?scan'208";a="29245021"
Received: from (HELO ([]) by with ESMTP/TLS/DHE-RSA-SEED-SHA; 06 Dec 2020 12:32:35 +0000
Received: from [] ([]) by (8.15.2/8.15.2) with ESMTPS id 0B6CWYUn027615 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 6 Dec 2020 12:32:35 GMT
From: Eliot Lear <>
Message-Id: <>
Content-Type: multipart/signed; boundary="Apple-Mail=_BE889DFF-0392-4BDA-A6D6-87DD67AE2714"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Date: Sun, 06 Dec 2020 13:32:34 +0100
In-Reply-To: <>
Cc: Randy Bush <>,,, Ted Lemon <>, "Ackermann, Michael" <>
To: Amyas Phillips <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3608.
X-Outbound-SMTP-Client:, []
Archived-At: <>
Subject: Re: [Iotops] How old is too old and what this means for product lifecycles? Re: [Last-Call] [TLS] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 06 Dec 2020 12:32:43 -0000

> On 5 Dec 2020, at 22:11, Amyas Phillips <> wrote:
> There’s a few commercial products which […] essentially offer modules with an OS and application environment which they maintain for you, to a more or less hands-off degree: msoft Sphere, Balena, Particle, Electric Imp, Ubuntu Core. They don’t maintain your application but that may well be a relatively small part of the attack surface, and possibly defended by features of the maintained environment.
> Microsoft Sphere in particular is interesting because the maintenance is completely hands off and the costs are folded into the initial BOM cost of the module, there’s no service fee.

It’s a start.  The question is long those contracts stay in place.  The issue is not 1, 2, or 3 years from purchase, but generally later.  The more recent the product was shipped the more motivation to fix it within the existing framework, as D-Link discovered.

In looking 10 years out, the aggregate exposure is lower due to the number of units, but that means that the maintenance costs, which are independent of outstanding units, need to be borne by a smaller based, or priced in at time of sale.  That’s not a small number for any but the largest companies.