Re: [TLS] Fwd: New Version Notification for draft-moriarty-tls-oldversions-diediedie-00.txt

[Eric Mill <eric@konklone.com>]

If we're looking for precedent and support, the Canadian government
recently (like in the last week or two) issued a policy requiring TLS 1.0
and 1.1 be disabled:

https://www.canada.ca/en/treasury-board-secretariat/services/information-technology/policy-implementation-notices/implementing-https-secure-web-connections-itpin.html

It's effective immediately for new services, and has a deadline of
September 30, 2019 for existing services.

-- Eric

On Mon, Jul 9, 2018 at 3:02 PM Loganaden Velvindron <loganaden@gmail.com>
wrote:

> On Mon, Jul 9, 2018 at 8:54 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> > Thanks for writing this.
> >
> > I would be in favor of deprecating old versions of TLS prior to 1.2.
> Firefox
> > Telemetry shows that about 1% of our connections are TLS 1.1 (on the same
> > data set, TLS 1.3 is > 5%), and TLS 1.1 is negligible.
> >
> > This is probably a higher number than we'd be comfortable turning off
> > immediately, but it is probably worth starting the process.
> >
>
> I'm also in favour. Many banks/instituion in developing countries are
> moving to deprecate tls v1.0 and tls v1.1.
>
> As I commented on github:
> SSLpulse shows how many top websites support tls 1.2 (92.8%) and this
> number is increasing (0.5%):
>
> https://www.ssllabs.com/ssl-pulse/
>
> KeyCDN and digicert have also announced their intentions to deprecate
> tls 1.0 and tls 1.1.
>
>
> https://github.com/sftcd/tls-oldversions-diediedie/commit/a0d6c160d922bd7f52a917884823114c90932291
>
>
>
> > -Ekr
> >
> >
> > On Mon, Jul 9, 2018 at 9:40 AM, Kathleen Moriarty
> > <kathleen.moriarty.ietf@gmail.com> wrote:
> >>
> >> Hello,
> >>
> >> Stephen and I posted the draft below to see if the TLS working group
> >> is ready to take steps to deprecate TLSv1.0 and TLSv1.1.  There has
> >> been a recent drop off in usage for web applications due to the PCI
> >> Council recommendation to move off TLSv1.0, with a recommendation to
> >> go to TLSv1.2 by June 30th.  NIST has also been recommending TLSv1.2
> >> as a baseline.  Applications other than those using HTTP may not have
> >> had the same reduction in usage.  If you are responsible for services
> >> where you have a reasonable vantage point to gather and share
> >> statistics to assess usage further, that could be helpful for the
> >> discussion.  We've received some feedback that has been incorporated
> >> into the working draft and feelers in general have been positive.  It
> >> would be good to know if there are any show stoppers that have not
> >> been considered.
> >>
> >> https://github.com/sftcd/tls-oldversions-diediedie
> >>
> >> Thanks in advance,
> >> Kathleen
> >>
> >>
> >> ---------- Forwarded message ----------
> >> From:  <internet-drafts@ietf.org>
> >> Date: Mon, Jun 18, 2018 at 3:05 PM
> >> Subject: New Version Notification for
> >> draft-moriarty-tls-oldversions-diediedie-00.txt
> >> To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Kathleen Moriarty
> >> <Kathleen.Moriarty.ietf@gmail.com>
> >>
> >>
> >>
> >> A new version of I-D, draft-moriarty-tls-oldversions-diediedie-00.txt
> >> has been successfully submitted by Stephen Farrell and posted to the
> >> IETF repository.
> >>
> >> Name:           draft-moriarty-tls-oldversions-diediedie
> >> Revision:       00
> >> Title:          Deprecating TLSv1.0 and TLSv1.1
> >> Document date:  2018-06-18
> >> Group:          Individual Submission
> >> Pages:          10
> >> URL:
> >>
> >> https://www.ietf.
> .org/internet-drafts/draft-moriarty-tls-oldversions-diediedie-00.txt
> >>
> >> Status:
> >>
> https://datatracker.ietf.org/doc/draft-moriarty-tls-oldversions-diediedie/
> >> Htmlized:
> >> https://tools.ietf.org/html/draft-moriarty-tls-oldversions-diediedie-00
> >> Htmlized:
> >>
> >>
> https://datatracker.ietf.org/doc/html/draft-moriarty-tls-oldversions-diediedie
> >>
> >>
> >> Abstract:
> >>    This document [if approved] formally deprecates Transport Layer
> >>    Security (TLS) versions 1.0 [RFC2246] and 1.1 [RFC4346] and moves
> >>    these documents to the historic state.  These versions lack support
> >>    for current and recommended cipher suites, and various government and
> >>    industry profiiles of applications using TLS now mandate avoiding
> >>    these old TLS versions.  TLSv1.2 has been the recommended version for
> >>    IETF protocols since 2008, providing sufficient time to transition
> >>    away from older versions.  Products having to support older versions
> >>    increase the attack surface unnecessarily and increase opportunities
> >>    for misconfigurations.  Supporting these older versions also requires
> >>    additional effort for library and product maintenance.
> >>
> >>    This document updates the backward compatibility sections of TLS RFCs
> >>    [[list TBD]] to prohibit fallback to TLSv1.0 and TLSv1.1.  This
> >>    document also updates RFC 7525.
> >>
> >>
> >>
> >>
> >> Please note that it may take a couple of minutes from the time of
> >> submission
> >> until the htmlized version and diff are available at tools.ietf.org.
> >>
> >> The IETF Secretariat
> >>
> >>
> >>
> >> --
> >>
> >> Best regards,
> >> Kathleen
> >>
> >> _______________________________________________
> >> TLS mailing list
> >> TLS@ietf.org
> >> https://www.ietf.org/mailman/listinfo/tls
> >
> >
> >
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
> >
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>


-- 
konklone.com | @konklone <https://twitter.com/konklone>