Re: [Iotops] How old is too old and what this means for product lifecycles? Re: [Last-Call] [TLS] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice

Toerless Eckert <> Mon, 07 December 2020 09:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BE15A3A1256 for <>; Mon, 7 Dec 2020 01:19:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.65
X-Spam-Status: No, score=-1.65 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7oXnhAn1PUFw for <>; Mon, 7 Dec 2020 01:19:01 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5B6143A1257 for <>; Mon, 7 Dec 2020 01:19:00 -0800 (PST)
Received: from ( [IPv6:2001:638:a000:4134::ffff:52]) by (Postfix) with ESMTP id 732E9549B09; Mon, 7 Dec 2020 10:18:54 +0100 (CET)
Received: by (Postfix, from userid 10463) id 69371440041; Mon, 7 Dec 2020 10:18:54 +0100 (CET)
Date: Mon, 07 Dec 2020 10:18:54 +0100
From: Toerless Eckert <>
To: Amyas Phillips <>
Cc: Randy Bush <>, Ted Lemon <>, "Ackermann, Michael" <>,, Eliot Lear <>,
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <>
Subject: Re: [Iotops] How old is too old and what this means for product lifecycles? Re: [Last-Call] [TLS] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 07 Dec 2020 09:19:04 -0000

Great pportunity for a rant:

Its easy to understand how the mayority of participants in these discussions are
from either a commercial supplier side, or from a commercial user side. In either
case, a clearly time restricted use case scenario is easily be most important default.
This btw. also applies to where my pay check comes from (i think).

Nevertheless, i would highly recommend to no limit our design decisions to this

Personally, i for once would be happy as an individual to see any standards be
blackmailed in the press and in public as an evil conspiracy for planned obsolescence
that does not consider the ability for devices to operate as long as their hardware can
without being constrained by 'security' software.

Obviously, there are also significant commercial applications undetermined long
life cycles are required. Just think of any deep space exploration NASA satellites
go dark because of their non-crypto agility. Or the non-desire to upgrade nuclear
missile control systems to new HW/SW because overall system security analysis
shows how new HW/SW more likely than not will be MORE susceptible to attacks than
simpler older SW/HW around for 50 years. Just two extreme examples.

I am not 10% sure about generic approaches to solve this problem, but one approach
could be the following:

- A device communications is designed to be able to operate solely within a
  "walled garden" environment. Not as the ONLY option, but as one option.

- Walled garden means that all communication channels of the device can be directed
  to go through other nodes of the "walled garden".

- "Walled garden" should IMHO also mean that the higher layer semantic of
  all communications is well enough defined/documented, so that another device
  in the walled-garden can be set up to convert/proxy the communications.

- Aka: If the crypto starts to become obsolete, then the obsolete crypto would
  be possible to constrain to the walled-carden (physical security) environment,
  and be proxied, and if the original remote communication parties do not exist
  anymore, but the data to be exchanged exists, then such a proxy could also
  proxy/convert the data into the 'legacy' format.

The ability to understand all the information communicated well enough to be able
to re-recreate the format is also necessary for any type of higher-layer security
filtering, so this type of communications design is not only good for longevity,
but also for security beyond transit confidentiality.


On Sat, Dec 05, 2020 at 09:11:04PM +0000, Amyas Phillips wrote:
> > On 5 Dec 2020, at 18:10, Randy Bush <> wrote:
> > 
> > to improve the math one would have to amortize the cost of maintenance
> > over many many flavors and makers of thingies.  so the acme thingie mfr,
> > and the hackme thingie mfr, and the ... need to have a common code base
> > and upgrade infrastructure.  
> Exactly right, it???s hard to imagine any other economically viable way of maintaining devices which aren???t sold with a service contract. Even for devices which are sold with a service contract, this is still a cheaper and likely better way of delivering the security maintenance part of that service. 
> There???s a few commercial products which do this. They essentially offer modules with an OS and application environment which they maintain for you, to a more or less hands-off degree: msoft Sphere, Balena, Particle, Electric Imp, Ubuntu Core. They don???t maintain your application but that may well be a relatively small part of the attack surface, and possibly defended by features of the maintained environment. 
> Microsoft Sphere in particular is interesting because the maintenance is completely hands off and the costs are folded into the initial BOM cost of the module, there???s no service fee.
> Amyas

> -- 
> Iotops mailing list