Re: [TLS] Deployment ... Re: This working group has failed

"Michael Staubermann" <Michael.Staubermann@webolution.de> Mon, 18 November 2013 22:16 UTC

Return-Path: <Michael.Staubermann@webolution.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07E9F1AE5BD for <tls@ietfa.amsl.com>; Mon, 18 Nov 2013 14:16:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.625
X-Spam-Level: *
X-Spam-Status: No, score=1.625 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_DE=0.35, MSGID_MULTIPLE_AT=1, RP_MATCHES_RCVD=-0.525] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tXtK_HoSAoJ2 for <tls@ietfa.amsl.com>; Mon, 18 Nov 2013 14:16:25 -0800 (PST)
Received: from mail.webolution.de (mail.webolution.de [80.152.246.40]) by ietfa.amsl.com (Postfix) with ESMTP id 1F0FB1AE5A0 for <tls@ietf.org>; Mon, 18 Nov 2013 14:16:24 -0800 (PST)
Received: from staubermann.webolution.de ([192.168.168.32] helo=StaubermannPC) by mail.webolution.de with esmtp (Exim 4.69) (envelope-from <Michael.Staubermann@webolution.de>) id 1ViX74-0007Cr-1q; Mon, 18 Nov 2013 23:16:15 +0100
From: "Michael Staubermann" <Michael.Staubermann@webolution.de>
To: <mrex@sap.com>
References: <06a3c2e5ba2b451a80cd05b18e8f4f72@BL2PR03MB194.namprd03.prod.outlook.com> <20131118192532.9CE531AAB0@ld9781.wdf.sap.corp>
In-Reply-To: <20131118192532.9CE531AAB0@ld9781.wdf.sap.corp>
Date: Mon, 18 Nov 2013 23:16:21 +0100
Message-ID: <058f01cee4ab$d28316b0$77894410$@Staubermann@webolution.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac7klAYpFvLByF2XRT+Wyac4cfa0jQAFcGNg
Content-Language: de
X-SA-Exim-Connect-IP: 192.168.168.32
X-SA-Exim-Mail-From: Michael.Staubermann@webolution.de
X-SA-Exim-Version: 4.2.1 (built Wed, 25 Jun 2008 17:14:11 +0000)
X-SA-Exim-Scanned: Yes (on mail.webolution.de)
Cc: tls@ietf.org
Subject: Re: [TLS] Deployment ... Re: This working group has failed
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2013 22:16:27 -0000

Martin Rex wrote: 


> Unfortunately, I've seen a new (government mandated) Web Service usage
scenario deployed in 2013 where the hardware SSL/TLS accellerater that is
being used is TLS version intolerant to TLSv1.1 and TLSv1.2.

On the other hand we have the (government mandated) requirement to use TLS
1.2 for governmental institutions:


https://www.bsi.bund.de/DE/Presse/Kurzmitteilungen/Kurzmit2013/Mindeststanda
rd_TLS_1_2_Web-Seiten_des_BSI_13112013.html

Which translates into: 
"The Federal Office for Information Security (BSI ) has 8 October 2013 a
minimum standard for the use of a transport encryption using the TLS
protocol published . A minimum standard to be met by the BSI describes the
safety requirements for a product or service category or methods to achieve
a reasonable minimum protection against IT security threats . With the
release of minimum standards for TLS 1.2 , the BSI has formulated in terms
of Internet users in Germany set a target to which the institutions of the
federal government , including the BSI is now able to work towards.

It lies in the nature of a target that this is in the future. To specify a
destination that you have already achieved, makes little sense from the
perspective of the BSI.

Since migrating to TLS 1.2 usually includes not only software but also
hardware products, this can be a time-consuming process , involving not only
technical and organizational aspects are taken into account. In this
respect, even after the reduction of a specific objective for a transitional
period is quite common and useful. The BSI is accompanying this transition
period and is available to authorities in the migration advice. Also in the
BSI itself the migration takes place in a structured and carefully prepared
process. This process has already begun. Together with his hosting service ,
the BSI is currently working diligently to change the web server on which
the BSI own websites are hosted. First, it's about ending the exclusive use
of the RC4 encryption algorithm. This could already be realized in the short
term. The migration to TLS 1.2 is already initiated."

-mst