IETF Logo Mail Archive

Re: [Last-Call] Last Call: Moving single-DES and IDEA TLS ciphersuites to Historic

Keith Moore <moore@network-heretics.com> Mon, 16 November 2020 19:47 UTC

Return-Path: <moore@network-heretics.com>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 168083A0964 for <last-call@ietfa.amsl.com>; Mon, 16 Nov 2020 11:47:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hUTWxKI15Ytv for <last-call@ietfa.amsl.com>; Mon, 16 Nov 2020 11:47:52 -0800 (PST)
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8E213A08A5 for <last-call@ietf.org>; Mon, 16 Nov 2020 11:47:52 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 38480C73 for <last-call@ietf.org>; Mon, 16 Nov 2020 14:47:51 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Mon, 16 Nov 2020 14:47:51 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=EjUhlCFwVgRJMZ+RY1SwO9OtTP+Xfjpo4h1GfanDB Uo=; b=Nyqemrl1dUjQyp4meOFvdkX4l6tHhJfQLfGcWt4kL5Dmwgz8+4gR0zBsN Kr9G/jEe0Gz+YG88/GdVaaam0vUKIsqGiSclM3tSR1Vf1bRyi7BCnwdLy/x9IdRH c8gDRnp3oBjVPdrERvLVnzmCdz2XbOqsWYWlZNxcnPBAXUBoPkJltIAt0XhoGirk 7wjBbdXLbIA4f2krPGywNErV94/qVBDxawm/Xvxs9KiJoSfcJWa4r2gOAWcocPvZ OW19zNcpRdEYz9td7E4qvNflh+V/9XvqFreLrkPcLoxAohxgYvg93MzPyyHnEK8z M/UStfk1neZBpgE0uzPFabdLGKcIA==
X-ME-Sender: <xms:ZteyXycWmI-q1F_c3AagOxIiu7wnwsMyn1TAasaZYy8n_fM7bClT4A> <xme:ZteyX8OUkk0YQw7kVnGBf9gPAuwKdvloI90Pe_RUv-0p-1oOdZ8xa12FVDqKrhZVM H9yI9UN22DrIQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrudefuddgudeftdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepuffvfhfhkffffgggjggtgfesth ekredttdefjeenucfhrhhomhepmfgvihhthhcuofhoohhrvgcuoehmohhorhgvsehnvght fihorhhkqdhhvghrvghtihgtshdrtghomheqnecuggftrfgrthhtvghrnhephefhuedthe efgfefgffhkeehgfeugfeiudeugeejkeefleelueeiffetfeeuudeunecukfhppedutdek rddvvddurddukedtrdduheenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmh grihhlfhhrohhmpehmohhorhgvsehnvghtfihorhhkqdhhvghrvghtihgtshdrtghomh
X-ME-Proxy: <xmx:ZteyXzjhNO7AlauAwH91P2SfmFWj8H6H55b4ff3km-Te-2eNS2KBKw> <xmx:ZteyX_-gX2PNkJg6cYc1UX1tayiK2_BMota0inNj5VazdEtH0yhAdg> <xmx:ZteyX-tqtANGYi4s0YUXrGN-u-6kqOzYMYlBOGmgXXfcyjtmupbvsw> <xmx:ZteyX7P8GFausqKsKSLiM4PdI7NFMIeWShySPXoQhnWwnKY86ewSDA>
Received: from [192.168.1.85] (108-221-180-15.lightspeed.knvltn.sbcglobal.net [108.221.180.15]) by mail.messagingengine.com (Postfix) with ESMTPA id 358293064AA6 for <last-call@ietf.org>; Mon, 16 Nov 2020 14:47:50 -0500 (EST)
To: last-call@ietf.org
References: <160496123639.8029.4334131339975211167@ietfa.amsl.com> <546D4F43-F227-4E78-8596-313776617B50@vigilsec.com> <2A3E251A56633647FD39A05D@PSB>
From: Keith Moore <moore@network-heretics.com>
Message-ID: <91d124ec-8889-24dd-ffae-f03e39513f19@network-heretics.com>
Date: Mon, 16 Nov 2020 14:47:49 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <2A3E251A56633647FD39A05D@PSB>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/iTFKtf2MFgKwJsF0oMUr0lSuZ5o>
Subject: Re: [Last-Call] Last Call: Moving single-DES and IDEA TLS ciphersuites to Historic
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Nov 2020 19:47:54 -0000

On 11/10/20 1:02 PM, John C Klensin wrote:

> For all of the obvious reasons, I think reclassifying these
> documents to historic is a good idea.  _However_ if we are
> really trying to say "don't use these, they are obsolete and
> unsafe" rather than just "no current specification refers to
> them but do what you like", I believe that it would be better to
> publish a short RFC explaining the issues with them rather than
> simply making a datatracker note that points to a "supporting
> document", particularly one that doesn't actually say much of
> anything.

I agree that some sort of RFC is appropriate.   One of my growing 
concerns is that deprecating old TLS ciphersuites is breaking old 
systems that are still in use, and actually preventing them from having 
any of their software upgraded, because there are no web browsers that 
run on those systems that support the ciphersuites used by current servers.

So IMO, simply saying "don't use these" is NOT good advice, and instead 
the advice should be something like "treat these ciphersuites as if they 
were unencrypted connections".   I realize that this will make the 
purists uncomfortable, but I think the discussion needs to be had.

Keith

v2.23.0 | Report a Bug | By Email