Re: [saag] [TLS] Lessons learned from TLS 1.0 and TLS 1.1 deprecation

John Mattsson <john.mattsson@ericsson.com> Sat, 05 October 2019 10:36 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2E841200C5; Sat, 5 Oct 2019 03:36:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mN22EvTRpOYi; Sat, 5 Oct 2019 03:36:30 -0700 (PDT)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40047.outbound.protection.outlook.com [40.107.4.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 329D0120033; Sat, 5 Oct 2019 03:36:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EeUIUBlAYd/lzKm1bUOCcDgqMB6W/CjDLE0CZPdes43tTm70e2MnRgllXVGR8aAwNpzplS3qOecQkrTTfRMJBFtcXzNVY+KU4DZC+zz+rWxpJIojrmAkj1DE6fCvPRIAUq2DGNF/0qBwel2+E/BcGkH0quh4PFMEr46St+dLpOOLzDbHGZN/1+3iqLCM7igII4HLEE+ysTv5GWPMmvqKpODKQ7UyZ8yOv0JYkdrX5MoDbXMkM7TDNGfE/nPfY3V32YqH2ji0yKZugnQvio/9HO0aopwB/jbnsMBFh4Ol3CDpDdjru0AbkXrJEPerhhYVBrlVCERAcXTOIdrAyAVX1w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VlltzUx0nXak1Cp2vbDBmsRikov4e1Mzj8sjHpI+UEo=; b=gEiiB/QgLhBhEKNLfvZ8empX3sp7QUvK/+hiKGv7Kp0vxFetGnpEUz1g72SsPxYYj83AZ1q9Gmxq0nK7rVivcT4eXhmSLRxlsXiv65VvJdImDQ3WJUe2JEwbjXkFmOJQqkbfXJVYUFRWk5fbkL/oSmnFDZM/lN8q7mF58dD4U1ICeAIB859IKgtRIW+YkJUIn7K3qJdWfZP2jVgQN3zsfn2bxBE701osawIz6hv4Y6tdP4+zZ+6tTV5/4cynQ5kM6DYKXwnrXbLIakHLD9DInY9Sldo1FKJNONRGMgqJQpVCVXjFEVzbxjPzXK7xenzFY4l2xSEanl1FRUd4RJACNA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VlltzUx0nXak1Cp2vbDBmsRikov4e1Mzj8sjHpI+UEo=; b=AfsdKnXfeLwvU0Vk8YRjrOTgUOqlkevHVxw998ibqmCA1cgEsVtcJQQJkrjznW1amfxJ1a+gfOx8JwW2FLhmhEQhua6Cv5QN74X17RGb7RBnmzaxWgrrvqpeh0O5afmJ9dLJ5JZbcynThUNz54AyNb2Bu8KeaSxZsy5GNjOlNWw=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.165.153) by HE1PR07MB3084.eurprd07.prod.outlook.com (10.170.247.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2305.15; Sat, 5 Oct 2019 10:36:27 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::c8fb:acc1:b00e:84ef]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::c8fb:acc1:b00e:84ef%6]) with mapi id 15.20.2327.021; Sat, 5 Oct 2019 10:36:27 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "hannes.tschofenig@gmx.net" <hannes.tschofenig@gmx.net>, "TLS@ietf.org" <TLS@ietf.org>, "saag@ietf.org" <saag@ietf.org>
Thread-Topic: [TLS] Lessons learned from TLS 1.0 and TLS 1.1 deprecation
Thread-Index: AQHVdGRuT2dEqLFcbEmEm2g+1AcjWadF0deAgAY4YQA=
Date: Sat, 5 Oct 2019 10:36:27 +0000
Message-ID: <0B7954B0-275B-45BE-9353-695612B7F5D3@ericsson.com>
References: <03B5BDAC-5B17-47B2-85D0-225DCCABDC42@ericsson.com> <024b01d5785d$51b3d7d0$f51b8770$@gmx.net>
In-Reply-To: <024b01d5785d$51b3d7d0$f51b8770$@gmx.net>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1d.0.190908
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [82.214.46.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c63e079f-2a73-4455-006e-08d7497fe0d2
x-ms-traffictypediagnostic: HE1PR07MB3084:
x-microsoft-antispam-prvs: <HE1PR07MB30840F52F995A23A584DBA4189990@HE1PR07MB3084.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:4502;
x-forefront-prvs: 0181F4652A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(396003)(136003)(39860400002)(366004)(346002)(199004)(189003)(8936002)(478600001)(86362001)(186003)(110136005)(36756003)(486006)(2501003)(6246003)(99286004)(14444005)(2906002)(26005)(14454004)(446003)(3846002)(256004)(2616005)(6116002)(71190400001)(71200400001)(2201001)(476003)(25786009)(66066001)(44832011)(6512007)(66946007)(7736002)(76116006)(11346002)(6506007)(66446008)(64756008)(5660300002)(66476007)(66556008)(58126008)(229853002)(91956017)(6436002)(305945005)(4744005)(316002)(8676002)(33656002)(81156014)(81166006)(102836004)(76176011)(6486002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3084; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: SETWXdXmUtYZEk5Qw7a+t89UQvnAvCSJifbvkiqzws/tAC3iJXbLGeIMF1OpF7mQRYjbohVUXzHasXaZ9W6agDnMIYuOTOTAWS/QRa5Fhc/Wk4EddxlzTIpgNRisce6OblS+PfBy85cS08MvmMfFWTasVqH1cjFRKWpKqRO/3r0++yZiZ49Xv5R90mrmMJ3g95sqkrW/cbDnvMYKnczWdfVyLJNJKAzhlkgo6bfOKT3OfEHNGIc50R9IRs3OEPmsmT17POK7/R7PpzvO7YjFwZ14AkJ0migS71W+5URnculbiR1k9JrhBGvEiEs/55Lmu+AQOeGqtHJti2dTfsX/JgvqrM7rmc5hoGwznxvG1qMa1TVIcc9YpQa7jvwvsCS+jaYYc2adV77BS+nX32uz92Vv76scuh4O/xcO2f97hEY=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <CAC46159556EC04B8AE06C5128950FF7@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c63e079f-2a73-4455-006e-08d7497fe0d2
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Oct 2019 10:36:27.6108 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: On2msrtgHpBiLuOzBKGC/8yLknE1Mn4MPPsv2wt38LViu6ovxpyLQgjrnivRTyPIOxbUSTKP5M+SeZfTktqkB+uv25qS+tpWgxJcBqHN2No=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3084
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/sRNE1lFvJNruHoDd3f5CCPR1nAw>
Subject: Re: [saag] [TLS] Lessons learned from TLS 1.0 and TLS 1.1 deprecation
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Oct 2019 10:36:32 -0000

"hannes.tschofenig@gmx.net"; <hannes.tschofenig@gmx.net>; wrote:

> PS: As Kathleen noted TLS 1.2 and DTLS 1.2 are perfectly fine if you follow RFC 7925/7525.

While TLS 1.2 and DTLS 1.2 can be configured to be secure, RFC 7525 is definitely not enough. RFC 7540 would be a good start, but also that would need to be extended with support of extensions like Extended Master Secret, Signature Algorithms, and Certificate Status Request to be considered fine in 2019.

Cheers,
John