IETF Logo Mail Archive

Re: [secdir] [Uta] [Last-Call] Secdir telechat review of draft-ietf-uta-rfc7525bis-09

Rob Sayre <sayrer@gmail.com> Thu, 14 July 2022 17:25 UTC

Return-Path: <sayrer@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0968C159483; Thu, 14 Jul 2022 10:25:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nxYTkcFjlECG; Thu, 14 Jul 2022 10:25:29 -0700 (PDT)
Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14A69C157B58; Thu, 14 Jul 2022 10:25:29 -0700 (PDT)
Received: by mail-ej1-x632.google.com with SMTP id bp15so4632306ejb.6; Thu, 14 Jul 2022 10:25:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nZu9oa+YssoOkUjNoVO8OfemYIDbs9v0W7eWm+e9aBs=; b=O+Ab/utfihgY7Qsh9AV4lWnuWgar7WEoeIwIhoTgfwKpZYE9KtpwtmSAOJJs1pMFia XFgmZlUOq7Us+54/cYm49j+cMtyu+ADsFv4VYvqMnzclaXSjeQmfPDBfFppfMyhPn+FB S+oN37uC5ZtMPd8yh6/Qh3Ewvnqnv6F1GjIjaWDYELJMzyDZPCDToosY/M+Utr7YZnYu ao7Le6Sm0C5h3UbsIdMmNRNZDMdeReTPf+in0s3/tbxfVmdDmEP0efWJWEedZWCRTTXx cgFyW8l8KpLCeVMqzjivcRuPMo8+osVBUGYNvKiVkzlpBaD1Zklk9aZWjadtZl1+MPM8 tEpw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nZu9oa+YssoOkUjNoVO8OfemYIDbs9v0W7eWm+e9aBs=; b=k/75IRcvPDb7JQZD7hCjcAa8SsGsUvuiWIe/lGv+ekLoz7PkGuMb7XUHhhNg393YyW zemZan8yQBvrhD1w+2HkQsKwcaoDe93cNFmbMpuaC/41HU4Q10+W2UlXJMxz6kgi9s++ EmzAHbWh3S3tDu1T26Nx4xvWW1yETXB1YY/3OTWn8o6tPSd7bF4B1Az/jKR9TxE2vqhp bT1jc2pkpkyrg6foTebY6o0gVUSw8mQaSsueV3+JIJbP8E3wi9F/gitnYnKpZ0vAdZdo O/UC6EHOaNG1+ovKuPqmVLCEccQ0WRkwGDItZCjlv9Ic4dZR7XWfQmKJ200W91RqmnWN j1zQ==
X-Gm-Message-State: AJIora/1a8gWamzUUSrMRoZtRcUx+C1+jvNp9lG4TDnbwgREb5B57g/U EeCnZwOddpILu/jeWNKUz4hKzXw7+azU0MX66Drmag4NasdK4g==
X-Google-Smtp-Source: AGRyM1vGw63x9mVLmTZeRNm5rZQZXVZOZUrRibctTsnnP3SqkFD16y1kB2bIWNxTeQpzi+Ad54APKhoqd4syHAth1j0=
X-Received: by 2002:a17:907:6d8b:b0:72b:5f51:a9e7 with SMTP id sb11-20020a1709076d8b00b0072b5f51a9e7mr9940244ejc.628.1657819527214; Thu, 14 Jul 2022 10:25:27 -0700 (PDT)
MIME-Version: 1.0
References: <165766858084.5251.12485129434316295805@ietfa.amsl.com> <b24e2934-200f-4f80-5261-aa2a977da39b@stpeter.im> <CAChr6Syq+uOTJsvqWuSustq_HdTaXCtDepyCuRWx+jGoEB06Fw@mail.gmail.com> <CAChr6SzkAmbjGK4XOwPkSwssLoG4NW1yG-6b2aFdFr43yF2zwQ@mail.gmail.com> <SY4PR01MB625186377F07976EFEF775F7EE889@SY4PR01MB6251.ausprd01.prod.outlook.com> <BY5PR00MB0707E1335EB621253DB3BDA98C889@BY5PR00MB0707.namprd00.prod.outlook.com>
In-Reply-To: <BY5PR00MB0707E1335EB621253DB3BDA98C889@BY5PR00MB0707.namprd00.prod.outlook.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Thu, 14 Jul 2022 10:25:15 -0700
Message-ID: <CAChr6SwoHicUAWQYggbVe_pg+TncE_mdq31ShoxgvJpywBXfbw@mail.gmail.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Cc: Peter Gutmann <pgut001@cs.auckland.ac.nz>, Peter Saint-Andre <stpeter@stpeter.im>, Benjamin Kaduk <kaduk@mit.edu>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-uta-rfc7525bis.all@ietf.org" <draft-ietf-uta-rfc7525bis.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "uta@ietf.org" <uta@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000005791205e3c7307e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/Pputiqpi8V0iEYq0fOqtNrQPyHA>
Subject: Re: [secdir] [Uta] [Last-Call] Secdir telechat review of draft-ietf-uta-rfc7525bis-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jul 2022 17:25:29 -0000

On Thu, Jul 14, 2022 at 10:12 AM Andrei Popov <Andrei.Popov@microsoft.com>
wrote:

> Speaking of PCs and servers: I took a look at Windows TLS stack telemetry
> (only including those OS versions that support TLS 1.3).
> TLS 1.2 is negotiated for 99% of the TLS server connections and 98% of the
> TLS client connections using Windows TLS stack.
> TLS 1.3 use amounts to 0.4% of TLS server connections and just under 2% of
> TLS client connections.
>

Thank you for the data-driven approach, but it definitely doesn't match
other reports. Maybe it means TLS 1.2 /could/ be negotiated for 99% of
connections?

Here is a 2019 document from the IETF:
https://www.ietf.org/blog/tls13-adoption/

thanks,
Rob




>
> Cheers,
>
> Andrei
>
> -----Original Message-----
> From: Uta <uta-bounces@ietf.org> On Behalf Of Peter Gutmann
> Sent: Wednesday, July 13, 2022 8:07 PM
> To: Rob Sayre <sayrer@gmail.com>; Peter Saint-Andre <stpeter@stpeter.im>
> Cc: Benjamin Kaduk <kaduk@mit.edu>; secdir@ietf.org;
> draft-ietf-uta-rfc7525bis.all@ietf.org; last-call@ietf.org; uta@ietf.org
> Subject: [EXTERNAL] Re: [Uta] [Last-Call] Secdir telechat review of
> draft-ietf-uta-rfc7525bis-09
>
> Rob Sayre <sayrer@gmail.com> writes:
>
> >Also, in the realm of opinion rather than correctness: mandating TLS
> >1.2 support is misguided. Every TLS implementation maintains divided
> >codebases for 1.2 vs 1.3.
>
> On desktop PCs and servers perhaps, but in embedded the very fact that you
> need two sets of codebases means many systems will stay with 1.2, possibly
> forever when everything around them is also staying with 1.2.
>
> >No one reads the TLS 1.2 code very closely these days, in my
> >experience, so the BCP would be mandating support for something people
> >don't really work on anymore.
>
> Unless the only codebase you've got is 1.2.  However in the same embedded
> systems you typically do it once, do it right, and skip the neverending
> flow of bells and whistles that keep appearing, so there's no need to
> constantly fiddle with the code as for PC/server use.
>
> Peter.
>
> _______________________________________________
> Uta mailing list
> Uta@ietf.org
>
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Futa&amp;data=05%7C01%7CAndrei.Popov%40microsoft.com%7Ce00ddaa9c29c46256bcf08da65461b37%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637933649036169526%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=KdWkJBgZZYtqmqbNTu58h6cXqB7eq3o%2B65rEEu5eo%2BE%3D&amp;reserved=0
>

v2.23.0 | Report a Bug | By Email