Re: [Iotops] How old is too old and what this means for product lifecycles? Re: [Last-Call] [TLS] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice

Amyas Phillips <> Sat, 05 December 2020 21:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E7EBA3A0D65 for <>; Sat, 5 Dec 2020 13:11:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4sZjvM4LvcjZ for <>; Sat, 5 Dec 2020 13:11:09 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::335]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A05B43A0D4C for <>; Sat, 5 Dec 2020 13:11:08 -0800 (PST)
Received: by with SMTP id d3so8227582wmb.4 for <>; Sat, 05 Dec 2020 13:11:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=sfX2XP982QTx+HzDrdiwrUj13f2GMHF59YdyTv/z5uM=; b=K28zYpKBuKg2JhhUeVtkI+mOxsD7SyDum6DdxUw1rmeOyR812j75yDlCVLNGVQ2NtD 8p8ogrSPhZsQLNqsTjL/jZvojXnhfGQyraQUrI9rKvcfpAXp4fXxSEtABjEFu32Nwvvn lk/e8iZPNCtgqrgRQUAJdAnw/qo4Zl1OZWD8IHkqCTCVIB6o8ZD0EPHr2Nm0N8El1QGt gPfu7FUgGYuxxGh07lp42GOAlQXklNeM0Zi123qWby3e/VgDUSiq9UcuH+d5A7riRae4 wJXaY0F/XfIDrlmo2eEkWrld2brmoXRMszqi8X1o4IVgFwpwafMVRLCxEk0j5FhoDd0G S/Pw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=sfX2XP982QTx+HzDrdiwrUj13f2GMHF59YdyTv/z5uM=; b=iqPIx0SEVCJ+AWNS92Jxuz5Hi8Qy2e3i9Yu7z02Jcvtp7neNQmKv5NqIk41IR60HGE Hp17VbBiMNjsHx7LA163cG95Wp5p8Im2taJlgqIMB5nAxotYIFg3TX6vzEVCO++om2BX YPTJgaYJGOp0KHG1qAGWJiHDvGGMOAlsel2Nz+KXqOhKSwQiEdQ46oTuqFnH4tR/sbqn Tw0s1U4ZaPcKe+C86Sx8bS55WtXB25GHz8/5XyuEGBWYfVUH18b6XlxksEByRnf6d4u3 dO+7sG1Y8vB95YWjIQdnsqNjqBm3G9wjIW1WdTKMgmNr97604wgAjl8yOC4RyQO0CkBY 15qw==
X-Gm-Message-State: AOAM533FmXzqq5y8L/VUTB03xcQqRw39FM0YuCWJfs+d8D4s90m9Z42Q iGEjxOgBTVZYGdlEfwIQYhbAfQ==
X-Google-Smtp-Source: ABdhPJyNMVMTIYjszYFGeuPCt9urpiRE2S4xSSQ5oPyiJi+l28oAfcdyqbYC2QBi6EJHiqyZhN1WlA==
X-Received: by 2002:a1c:6689:: with SMTP id a131mr10686694wmc.33.1607202666512; Sat, 05 Dec 2020 13:11:06 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id f14sm8802521wme.14.2020. (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 05 Dec 2020 13:11:05 -0800 (PST)
From: Amyas Phillips <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_10E9567C-D934-4F48-B2D4-DF65F04E289A"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Date: Sat, 05 Dec 2020 21:11:04 +0000
In-Reply-To: <>
Cc: Eliot Lear <>,,, Ted Lemon <>, "Ackermann, Michael" <>
To: Randy Bush <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [Iotops] How old is too old and what this means for product lifecycles? Re: [Last-Call] [TLS] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 05 Dec 2020 21:11:11 -0000

> On 5 Dec 2020, at 18:10, Randy Bush <> wrote:
> to improve the math one would have to amortize the cost of maintenance
> over many many flavors and makers of thingies.  so the acme thingie mfr,
> and the hackme thingie mfr, and the ... need to have a common code base
> and upgrade infrastructure.  

Exactly right, it’s hard to imagine any other economically viable way of maintaining devices which aren’t sold with a service contract. Even for devices which are sold with a service contract, this is still a cheaper and likely better way of delivering the security maintenance part of that service. 

There’s a few commercial products which do this. They essentially offer modules with an OS and application environment which they maintain for you, to a more or less hands-off degree: msoft Sphere, Balena, Particle, Electric Imp, Ubuntu Core. They don’t maintain your application but that may well be a relatively small part of the attack surface, and possibly defended by features of the maintained environment. 

Microsoft Sphere in particular is interesting because the maintenance is completely hands off and the costs are folded into the initial BOM cost of the module, there’s no service fee.