Re: [saag] [TLS] Lessons learned from TLS 1.0 and TLS 1.1 deprecation

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Tue, 01 October 2019 11:03 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50C1212013B; Tue, 1 Oct 2019 04:03:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vE_QP9Yp6C1W; Tue, 1 Oct 2019 04:03:03 -0700 (PDT)
Received: from mail-ot1-x32d.google.com (mail-ot1-x32d.google.com [IPv6:2607:f8b0:4864:20::32d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06BFB120071; Tue, 1 Oct 2019 04:03:03 -0700 (PDT)
Received: by mail-ot1-x32d.google.com with SMTP id o44so11128246ota.10; Tue, 01 Oct 2019 04:03:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Tt5JSGL8IoLk8TkPLnWeY0SHhz4cm0yCRXCE8210c30=; b=PWZg1vBcVTtLrpy8mRVcPJ0wFYyh4u5ErWdMIzcexiUp7uShc6tvcpiWUPinMqde08 ZVeNz9cweOgWSWKy+FTkPJbOtF+qgMw823+JLZvFWFhurgLG8Q8oJOQAujb5lkF1J7uo LYESAmKh2OArkJ33ExmeSng0aF5dd0sob/LhdL5p/mtJzsLiOnIUcZ+J7Aiok/sgYu5/ 2uEWp3Ve9c2sXG+4qSbdMnFSKKAzOT9TfFgT5RLZCdc1L8+3PeVjEpILAnhsV4hpta4P Bz33kJgYccEeNycs2MZerVYmTjALzlli4A3Y4/9xO12Xj8NM5ZqKF/t0wjW5seqM+Zc6 YdfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Tt5JSGL8IoLk8TkPLnWeY0SHhz4cm0yCRXCE8210c30=; b=K7LoKiILE9tFqPppStjwYvwT9C1Is7L7Kqy+gWrp7mDP7LN7kSskJOMBzXMvhHMEAT xuMC1iWpezKKtePX7Npok+Qw1AUxc6SFe0us90C0llmWi4iWlf5LlnIWCf3UDh4AnnQb N8hAIEBwii7jmChrIL3iL2xdohxDea4eOCQRtLvjuy2MWocdps7rcwb61qBk0bD1ZhgP RoeHjk4GCiwJHCg+BWKcuTSnS7jJLcbEEPJm0IS7oaijp8iXvo2fdcZdSztFZdl/Xt3h BxMGp+wdFNzSJdjvS5CpQKOYgRsHW1wYb1UGsgz4voXfL2V361MwIDIKc5IySWoavhkr NMYg==
X-Gm-Message-State: APjAAAWm7u7wmGjvEGbnCzK6etMB55u6t6bOqI+7ZecN6ziKPEWvOFGz eqe71JTwcwVZ9lwtNGkYEoNc7B8OPBnfayh3ye0=
X-Google-Smtp-Source: APXvYqyy5tCxVGK5N5CMxtQ3yPu3t2Lw1B9u8tg21b7pz+0/26vzCwGCIld18MlXUlXvU/YOXemixvOshGcoZRPXCng=
X-Received: by 2002:a9d:6642:: with SMTP id q2mr15957115otm.250.1569927782332; Tue, 01 Oct 2019 04:03:02 -0700 (PDT)
MIME-Version: 1.0
References: <BF5F63A6-105B-47C6-8B65-29A290A16E76@akamai.com> <8B2B78CF-F312-4F7A-8EB1-A712F309A754@gmail.com> <F1D7BC9F-0CC7-459C-A338-DD54F5513EF3@ericsson.com>
In-Reply-To: <F1D7BC9F-0CC7-459C-A338-DD54F5513EF3@ericsson.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Tue, 1 Oct 2019 07:02:26 -0400
Message-ID: <CAHbuEH6Q41YnxTQoH154Z8rSUp2_301YLJt=3s326HgSJUpNhA@mail.gmail.com>
To: John Mattsson <john.mattsson@ericsson.com>
Cc: "Salz, Rich" <rsalz@akamai.com>, "TLS@ietf.org" <TLS@ietf.org>, "saag@ietf.org" <saag@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c9fe540593d74bb1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/NnrgujRKovxd1-z8F1AWWr_lpiE>
Subject: Re: [saag] [TLS] Lessons learned from TLS 1.0 and TLS 1.1 deprecation
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Oct 2019 11:03:07 -0000

On Tue, Oct 1, 2019 at 3:58 AM John Mattsson <john.mattsson@ericsson.com>;
wrote:

> Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>; wrote:
>
> >NIST has pushed back their date for US government organizations to have a
> plan to support TLSv1.3, what’s the driver to get ahead of that?
>
> NIST SP 800-52 rev 2 requires support for TLS 1.3 by January 1, 2024. I
> think that is a good and ambitious plan. In fact it would be very good if
> IETF agreed on the same requirement.
>

Right, so they are not saying TLSv1.2 can't be used at that time, only that
TLSv1.3 must be supported.

"It requires that TLS 1.2 configured with FIPS-based cipher suites be
supported by all government TLS servers and clients and requires support
for TLS 1.3 by January 1, 2024. "

This is a good goal and fairly reasonable given that a number of customers
are asking for TLSv1.3.  Government customers will drive this further in
the US.


>
> > I think encouraging implementation of TLSv1.3 is good and important, but
> are there other ways besides deprecation?
>
> Yes, I think there is at least two things IETF can do:
>
> - The first thing is to do like NIST and already now give implementors a
> date when support for TLS 1.3 is required.
>

We've never done that as far as I know?  SHould we?  Or should this be left
to documents like NIST's and other regulatory requirements that drive
customer purchasing decisions?


>
> - The second thing is to do like 3GPP and mandate support for TLS 1.3 in
> new implementations and deployments.
>

The second is typical from the point of publication.  So back when I was an
AD, we were already looking for TLS mentions in drafts and once TLSv1.3 was
published, is when you switch from the prior version being required to
support for TLSv1.3 being required.  I'm guessing this continued
(especially with Eric as an AD for another year after I stepped down), but
I am not watching closely.


> This would avoid two thing that happened in the past. First, IETF
> published RFC 8261 that mandated support for DTLS 1.0 and not DTLS 1.2
> almost 6 years after RFC 6347 made DTLS 1.0 obsolete. Secondly, just 7
> months after publishing a draft relying on DTLS 1.0, IETF started working
> on a draft forbidding it’s use.
>

Unfortunately, things like that do happen, but shouldn't.  In some
instances, an explanation is made as to why an older version is required
and it's an exception.  Was that the case?  (Sorry I don't have the time to
research the old discusses and history of the RFC at the moment).

It's not the right thing, but with TLS versions, they usually stick out a
bit when you read a draft and it's an easy thing to catch if you're
skimming a draft as an AD with 400 pages of reading to get through for a
telechat.

Bets regards,
Kathleen


> Cheers,
> John
>
> -----Original Message-----
> From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>;
> Date: Thursday, 26 September 2019 at 15:50
> To: "Salz, Rich" <rsalz@akamai.com>;
> Cc: John Mattsson <john.mattsson@ericsson.com>;, "TLS@ietf.org"; <
> TLS@ietf.org>;, "saag@ietf.org"; <saag@ietf.org>;
> Subject: Re: [TLS] Lessons learned from TLS 1.0 and TLS 1.1 deprecation
>
>
>
>     Sent from my mobile device
>
>     > On Sep 26, 2019, at 9:02 AM, Salz, Rich <rsalz@akamai.com>; wrote:
>     >
>     > These are excellent points.  Perhaps they can be squeezed into
> https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/
> ?  It's been waiting 90 days, a brief reset might not hurt :)
>     >
>     This would not be a brief reset and I’d prefer not to see them
> combined into the existing draft with WG agreement.
>
>     With RFC7525, TLSv1.2 can be configured to be secure.  I see the
> points made, but don’t see the urgency as obsolete is different from
> depreciation.
>
>     I think encouraging implementation of TLSv1.3 is good and important,
> but are there other ways besides deprecation?
>
>     NIST has pushed back their date for US government organizations to
> have a plan to support TLSv1.3, what’s the driver to get ahead of that?
>
>     A vulnerability would speed things up, but I do hope that does not
> happen.
>
>     Best regards,
>     Kathleen
>
>     > On 9/26/19, 8:18 AM, "John Mattsson" <john.mattsson=
> 40ericsson.com@dmarc.ietf.org>; wrote:
>     >
>     >    Hi,
>     >
>     >    Hopefully, we have learned some lessons from the TLS 1.0 and TLS
> 1.1 deprecation. TLS 1.0 and TLS 1.1 are (to cite Martin Thomson) broken in
> a myriad subtle ways and should according to me optimally have been
> deprecated years ago.
>     >
>     >    3GPP mandated support of TLS 1.2 in Rel-13 (2015) but could at
> that time not forbid use of TLS 1.1 as that would potentially break
> interoperability with some Rel-12 nodes (that had TLS 1.2 as should
> support). The lesson 3GPP learned from this was the need to as early as
> possible mandate support of new protocol versions. With TLS 1.3, 3GPP took
> action early and TLS 1.3 support was mandated for network nodes in Rel-15
> (2018) and for mobile phones in Rel-16 (2019).
>     >
>     >    At some point in time we will want to deprecate TLS 1.2. To
> enable that, TLS 1.3 support should be mandated or encouraged as much as
> possible. I would like to avoid a situation where we want to deprecate TLS
> 1.2 but realize that it cannot be done because some implementations only
> support TLS 1.2. How can IETF enable smoother and faster deprecations in
> the future? The browser industry has a decent track record of algorithm
> deprecation and I hope to soon see the following warning in my browser:
>     >
>     >    “TLS 1.2 is obsolete. Enable TLS 1.3 or later.”
>     >
>     >    Other industries have less stellar track records of algorithm
> deprecation.
>     >
>     >    How can IETF be more pro-active regarding deprecations in the
> future? In the best of words, nobody should be surprised when IETF
> deprecates a protocol version or algorithm. NIST and similar organizations
> in other countries have the practice to long time in advance publish
> deadlines for security levels, algorithms, and protocol versions. Can the
> IETF do something similar, not just for TLS but in general? For TLS, there
> are several things to deprecate, in addition to MD5 and SHA-1, also
> PKCS1-v1_5, RSA-2048, 224-bit ECC, ffdhe2048, and non-recommended cipher
> suites (Static RSA, CBC, DH, NULL, etc.) should be deprecated in the future.
>     >
>     >    Cheers,
>     >    John
>     >
>     >    _______________________________________________
>     >    TLS mailing list
>     >    TLS@ietf.org
>     >    https://www.ietf.org/mailman/listinfo/tls
>     >
>     >
>     > _______________________________________________
>     > TLS mailing list
>     > TLS@ietf.org
>     > https://www.ietf.org/mailman/listinfo/tls
>
>
>

-- 

Best regards,
Kathleen