Re: [Last-Call] Last Call: Moving single-DES and IDEA TLS ciphersuites to Historic

Ted Lemon <mellon@fugue.com> Mon, 16 November 2020 19:56 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C2A03A13E6 for <last-call@ietfa.amsl.com>; Mon, 16 Nov 2020 11:56:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.887
X-Spam-Level:
X-Spam-Status: No, score=-1.887 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NO_DNS_FOR_FROM=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7NLcYoK75GpK for <last-call@ietfa.amsl.com>; Mon, 16 Nov 2020 11:56:40 -0800 (PST)
Received: from mail-qt1-x836.google.com (mail-qt1-x836.google.com [IPv6:2607:f8b0:4864:20::836]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 311983A1400 for <last-call@ietf.org>; Mon, 16 Nov 2020 11:56:37 -0800 (PST)
Received: by mail-qt1-x836.google.com with SMTP id g15so13852960qtq.13 for <last-call@ietf.org>; Mon, 16 Nov 2020 11:56:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=EO3RdktF0m9kHZeCssa9t+9I2gmxEA4fTWWA8/zeMfA=; b=yA/s0y78faLQYvDCVGsLEQTTjCEYjmZVg4aT43KG/DzgEicrQMA/NnU+aK3oZPYm5K AjqVewNhdUAw8LdWRtSu2cbYlNutP6NyOd8QM8KMRExRUoAeGck2g5KHznBECXl34xNG +12Yet6Tb2nAcReL9rwPXEzRLA3cdQUXLkF537tanrLSd5kbIkOoFb6rfG1v8kM2Gly0 tI2FHj4q/pOUdvsSeZhmvyNg5YvbBUKg2mWLGc6jKURJ1TaYy8jGcAeG/iGQy/35ReRN RvR9ZhYVvqqt0rpXKo0HqlBrYs+JB8EVdJ+Gi2BaNNe1QX4jkbJtCJwLjo/kzPz2FO3Y 92gw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=EO3RdktF0m9kHZeCssa9t+9I2gmxEA4fTWWA8/zeMfA=; b=aMHOYX0m6SP4hU+eXTGrTH6uYnbL131cYguZEfLJX866CHxsjsec0pYUQ4IW0laB81 5TsEuGUfdHeCcAqenHij/6LQPB40HfSUYgv1LhvdKrn3HHKaxDsec3gBpfZmCVCk6h1W cpnKKuaTBy2h67N2Z8+OSEVWszAa7WyaMolu1jbUZLJDR5N/BzIkIxiE8kL5avV5OLgr aYeBx9zdidJ9oOulPvHrTsTNPeF+QIRAJ3VMY58xH+j9n60CH2T9QQHO8SHyx+cQ+Z7p pLXe7nj+ay+97Zpff33xeZ9rGZEotMbnVueJ+YoAD1+0BcoeI9icrqqw0cjonW/7Fn0E H7Ug==
X-Gm-Message-State: AOAM531LRe+VzWdtlgoagXxe8c6UaCom6KEzbPoVLO8WtxKA/+RFotwn vz9E6GYUiWB7VcJKEuSlTRXVPk6n+0CJ578N
X-Google-Smtp-Source: ABdhPJyGkNnKr24jCPaRESoWTy4+8h/TPEr9zdxEQ4oV6rCvWn8Uob71B9kSMm7/lQBcIVM+XYQBdQ==
X-Received: by 2002:ac8:5412:: with SMTP id b18mr16389368qtq.220.1605556596302; Mon, 16 Nov 2020 11:56:36 -0800 (PST)
Received: from [192.168.4.114] (c-24-91-177-160.hsd1.ma.comcast.net. [24.91.177.160]) by smtp.gmail.com with ESMTPSA id k188sm1189120qkd.98.2020.11.16.11.56.35 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 16 Nov 2020 11:56:35 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Ted Lemon <mellon@fugue.com>
Mime-Version: 1.0 (1.0)
Date: Mon, 16 Nov 2020 14:56:33 -0500
Message-Id: <6B8C6778-FB9F-4CA3-842D-63D664DDB111@fugue.com>
References: <91d124ec-8889-24dd-ffae-f03e39513f19@network-heretics.com>
Cc: last-call@ietf.org
In-Reply-To: <91d124ec-8889-24dd-ffae-f03e39513f19@network-heretics.com>
To: Keith Moore <moore@network-heretics.com>
X-Mailer: iPhone Mail (18B84)
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/slDtzdoMp1DQZ4Iy-ZCWTjgpWZk>
Subject: Re: [Last-Call] Last Call: Moving single-DES and IDEA TLS ciphersuites to Historic
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Nov 2020 19:56:47 -0000

This seems like a thin argument. These systems have had decades to be upgraded. If they weren’t upgraded before, why would they be now?

Also, anything that’s that deeply old is being operated by someone who can transfer the file to their modern mac and then ftp it over to the ancient iron.

And finally, we are deprecating the cipher suites. People in this situation can simple use old vulnerable software with the ancient ciphersuites on the update server. But this is a bad outcome because the update is now an attack vector. Better to use a secure browser and ftp for the last mile. 

> On Nov 16, 2020, at 14:48, Keith Moore <moore@network-heretics.com> wrote:
> 
> On 11/10/20 1:02 PM, John C Klensin wrote:
> 
>> For all of the obvious reasons, I think reclassifying these
>> documents to historic is a good idea.  _However_ if we are
>> really trying to say "don't use these, they are obsolete and
>> unsafe" rather than just "no current specification refers to
>> them but do what you like", I believe that it would be better to
>> publish a short RFC explaining the issues with them rather than
>> simply making a datatracker note that points to a "supporting
>> document", particularly one that doesn't actually say much of
>> anything.
> 
> I agree that some sort of RFC is appropriate.   One of my growing concerns is that deprecating old TLS ciphersuites is breaking old systems that are still in use, and actually preventing them from having any of their software upgraded, because there are no web browsers that run on those systems that support the ciphersuites used by current servers.
> 
> So IMO, simply saying "don't use these" is NOT good advice, and instead the advice should be something like "treat these ciphersuites as if they were unencrypted connections".   I realize that this will make the purists uncomfortable, but I think the discussion needs to be had.
> 
> Keith
> 
> 
> -- 
> last-call mailing list
> last-call@ietf.org
> https://www.ietf.org/mailman/listinfo/last-call