Re: [TLS] Fwd: New Version Notification for draft-moriarty-tls-oldversions-diediedie-00.txt

Eric Mill <eric@konklone.com> Mon, 09 July 2018 21:08 UTC

Return-Path: <eric@konklone.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E897130DF0 for <tls@ietfa.amsl.com>; Mon, 9 Jul 2018 14:08:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pobox.com header.b=yb41EDxf; dkim=neutral reason="invalid (public key: not available)" header.d=konklone.com header.b=zjLOHNeZ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CRUbLnRaLLPj for <tls@ietfa.amsl.com>; Mon, 9 Jul 2018 14:08:22 -0700 (PDT)
Received: from pb-smtp2.pobox.com (pb-smtp2.pobox.com [64.147.108.71]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2771130E5D for <tls@ietf.org>; Mon, 9 Jul 2018 14:08:22 -0700 (PDT)
Received: from pb-smtp2.pobox.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id 56E5FF1890 for <tls@ietf.org>; Mon, 9 Jul 2018 17:08:19 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=mime-version :references:in-reply-to:from:date:message-id:subject:to:cc :content-type; s=sasl; bh=+/gXlVKzQ4TdPm2gtXhHXgfX9Zs=; b=yb41ED xf1Avoztaoxa2nUQarTxG776n7A+teQ2mz3A4ThUdS9plf76kJVV/iS8vY8L++zl 3Ulcfu5HIfHbtwCXPpfAiBqvScB7ova6N+sZF45+SDDdIQsZdXg5T+9U2x1X4KYh /nlpYPzasTupsXlLpALdGgXt9GcyU52yrTc4c=
Received: from pb-smtp2.nyi.icgroup.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id 4F135F188E for <tls@ietf.org>; Mon, 9 Jul 2018 17:08:19 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=konklone.com; h=mime-version:references:in-reply-to:from:date:message-id:subject:to:cc:content-type; s=2016-12.pbsmtp; bh=CchkdlhJ65OKiumCZDmJESp8PfWGSc2GT0KkNVvOxzE=; b=zjLOHNeZEPPkYZOSDRvj79O93UMlRFZ3XY9BQo7s7vmEzjpeyq/GOkAfgL4iEmNXrH8lntXHCWwZXyjvCMLKS8fxYjPFD7pYbyiMZ4tu1IkTxGB+RBuqMSN011buQJJkHO3L9UhWAGpdvF5riQT38PdLTqIULW2DssVAZtECCvM=
Received: from mail-io0-f179.google.com (unknown [209.85.223.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pb-smtp2.pobox.com (Postfix) with ESMTPSA id C226CF188C for <tls@ietf.org>; Mon, 9 Jul 2018 17:08:18 -0400 (EDT)
Received: by mail-io0-f179.google.com with SMTP id y10-v6so3531199ioa.10 for <tls@ietf.org>; Mon, 09 Jul 2018 14:08:18 -0700 (PDT)
X-Gm-Message-State: AOUpUlGovF0GoM9pksYhbin5UO+PlG06FHQM6ZMkhFBYR/xViv6eyfrE HwfIE+hV7hKkak2O+wnVB6H5Huy4E5DWO9PZDo4=
X-Google-Smtp-Source: AAOMgpfb51DSIXI1ACpbJSvHJipXBrEhDLlrwqIzJXg+4woSOwkqLFVd4iD67STU1WSiXOrpe80wBuOXWvGPtZ3XofM=
X-Received: by 2002:a5e:8a45:: with SMTP id o5-v6mr7986352iom.88.1531170498096; Mon, 09 Jul 2018 14:08:18 -0700 (PDT)
MIME-Version: 1.0
References: <152934875755.3094.4484881874912460528.idtracker@ietfa.amsl.com> <CAHbuEH5J-F2cKag02Vx416jsy1N6XZOju28H99WAt71Pc5optg@mail.gmail.com> <CABcZeBN4RPt_=zu-PTPeaYbQ4KxC8DAf=a7359pZDjYavpxecw@mail.gmail.com> <CAOp4FwTmwro+KXyOH20PcUv+WTy98i2iqxx6Bhq36R8AHYAKQA@mail.gmail.com>
In-Reply-To: <CAOp4FwTmwro+KXyOH20PcUv+WTy98i2iqxx6Bhq36R8AHYAKQA@mail.gmail.com>
From: Eric Mill <eric@konklone.com>
Date: Mon, 09 Jul 2018 17:07:53 -0400
X-Gmail-Original-Message-ID: <CANBOYLVrWGUPzVbzvSB79Das2Rt3zxTr+kn3CAjSmk65Ry8JGg@mail.gmail.com>
Message-ID: <CANBOYLVrWGUPzVbzvSB79Das2Rt3zxTr+kn3CAjSmk65Ry8JGg@mail.gmail.com>
To: loganaden@gmail.com
Cc: Eric Rescorla <ekr@rtfm.com>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a134e30570976977"
X-Pobox-Relay-ID: 34399816-83BC-11E8-964C-40570C78B957-82875391!pb-smtp2.pobox.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/-S4UKerNIukuEI6XKRHCmeGhkPg>
Subject: Re: [TLS] Fwd: New Version Notification for draft-moriarty-tls-oldversions-diediedie-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2018 21:08:27 -0000

If we're looking for precedent and support, the Canadian government
recently (like in the last week or two) issued a policy requiring TLS 1.0
and 1.1 be disabled:

https://www.canada.ca/en/treasury-board-secretariat/services/information-technology/policy-implementation-notices/implementing-https-secure-web-connections-itpin.html

It's effective immediately for new services, and has a deadline of
September 30, 2019 for existing services.

-- Eric

On Mon, Jul 9, 2018 at 3:02 PM Loganaden Velvindron <loganaden@gmail.com>
wrote:

> On Mon, Jul 9, 2018 at 8:54 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> > Thanks for writing this.
> >
> > I would be in favor of deprecating old versions of TLS prior to 1.2.
> Firefox
> > Telemetry shows that about 1% of our connections are TLS 1.1 (on the same
> > data set, TLS 1.3 is > 5%), and TLS 1.1 is negligible.
> >
> > This is probably a higher number than we'd be comfortable turning off
> > immediately, but it is probably worth starting the process.
> >
>
> I'm also in favour. Many banks/instituion in developing countries are
> moving to deprecate tls v1.0 and tls v1.1.
>
> As I commented on github:
> SSLpulse shows how many top websites support tls 1.2 (92.8%) and this
> number is increasing (0.5%):
>
> https://www.ssllabs.com/ssl-pulse/
>
> KeyCDN and digicert have also announced their intentions to deprecate
> tls 1.0 and tls 1.1.
>
>
> https://github.com/sftcd/tls-oldversions-diediedie/commit/a0d6c160d922bd7f52a917884823114c90932291
>
>
>
> > -Ekr
> >
> >
> > On Mon, Jul 9, 2018 at 9:40 AM, Kathleen Moriarty
> > <kathleen.moriarty.ietf@gmail.com> wrote:
> >>
> >> Hello,
> >>
> >> Stephen and I posted the draft below to see if the TLS working group
> >> is ready to take steps to deprecate TLSv1.0 and TLSv1.1.  There has
> >> been a recent drop off in usage for web applications due to the PCI
> >> Council recommendation to move off TLSv1.0, with a recommendation to
> >> go to TLSv1.2 by June 30th.  NIST has also been recommending TLSv1.2
> >> as a baseline.  Applications other than those using HTTP may not have
> >> had the same reduction in usage.  If you are responsible for services
> >> where you have a reasonable vantage point to gather and share
> >> statistics to assess usage further, that could be helpful for the
> >> discussion.  We've received some feedback that has been incorporated
> >> into the working draft and feelers in general have been positive.  It
> >> would be good to know if there are any show stoppers that have not
> >> been considered.
> >>
> >> https://github.com/sftcd/tls-oldversions-diediedie
> >>
> >> Thanks in advance,
> >> Kathleen
> >>
> >>
> >> ---------- Forwarded message ----------
> >> From:  <internet-drafts@ietf.org>
> >> Date: Mon, Jun 18, 2018 at 3:05 PM
> >> Subject: New Version Notification for
> >> draft-moriarty-tls-oldversions-diediedie-00.txt
> >> To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Kathleen Moriarty
> >> <Kathleen.Moriarty.ietf@gmail.com>
> >>
> >>
> >>
> >> A new version of I-D, draft-moriarty-tls-oldversions-diediedie-00.txt
> >> has been successfully submitted by Stephen Farrell and posted to the
> >> IETF repository.
> >>
> >> Name:           draft-moriarty-tls-oldversions-diediedie
> >> Revision:       00
> >> Title:          Deprecating TLSv1.0 and TLSv1.1
> >> Document date:  2018-06-18
> >> Group:          Individual Submission
> >> Pages:          10
> >> URL:
> >>
> >> https://www.ietf.
> .org/internet-drafts/draft-moriarty-tls-oldversions-diediedie-00.txt
> >>
> >> Status:
> >>
> https://datatracker.ietf.org/doc/draft-moriarty-tls-oldversions-diediedie/
> >> Htmlized:
> >> https://tools.ietf.org/html/draft-moriarty-tls-oldversions-diediedie-00
> >> Htmlized:
> >>
> >>
> https://datatracker.ietf.org/doc/html/draft-moriarty-tls-oldversions-diediedie
> >>
> >>
> >> Abstract:
> >>    This document [if approved] formally deprecates Transport Layer
> >>    Security (TLS) versions 1.0 [RFC2246] and 1.1 [RFC4346] and moves
> >>    these documents to the historic state.  These versions lack support
> >>    for current and recommended cipher suites, and various government and
> >>    industry profiiles of applications using TLS now mandate avoiding
> >>    these old TLS versions.  TLSv1.2 has been the recommended version for
> >>    IETF protocols since 2008, providing sufficient time to transition
> >>    away from older versions.  Products having to support older versions
> >>    increase the attack surface unnecessarily and increase opportunities
> >>    for misconfigurations.  Supporting these older versions also requires
> >>    additional effort for library and product maintenance.
> >>
> >>    This document updates the backward compatibility sections of TLS RFCs
> >>    [[list TBD]] to prohibit fallback to TLSv1.0 and TLSv1.1.  This
> >>    document also updates RFC 7525.
> >>
> >>
> >>
> >>
> >> Please note that it may take a couple of minutes from the time of
> >> submission
> >> until the htmlized version and diff are available at tools.ietf.org.
> >>
> >> The IETF Secretariat
> >>
> >>
> >>
> >> --
> >>
> >> Best regards,
> >> Kathleen
> >>
> >> _______________________________________________
> >> TLS mailing list
> >> TLS@ietf.org
> >> https://www.ietf.org/mailman/listinfo/tls
> >
> >
> >
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
> >
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>


-- 
konklone.com | @konklone <https://twitter.com/konklone>