Re: [TLS] Publication has been requested for draft-ietf-tls-oldversions-deprecate-05

Benjamin Kaduk <kaduk@mit.edu> Fri, 04 October 2019 00:11 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE9EC120889; Thu, 3 Oct 2019 17:11:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ABNdlbWqIXbF; Thu, 3 Oct 2019 17:11:54 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB3D912006E; Thu, 3 Oct 2019 17:11:53 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x940BgOT023643 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 3 Oct 2019 20:11:45 -0400
Date: Thu, 3 Oct 2019 17:11:42 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: John Mattsson <john.mattsson@ericsson.com>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Sean Turner <sean@sn3rd.com>, Sean Turner via Datatracker <noreply@ietf.org>, "tls-chairs@ietf.org" <tls-chairs@ietf.org>, IESG Secretary <iesg-secretary@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Message-ID: <20191004001142.GF6424@kduck.mit.edu>
References: <156172485494.20653.307396745611384846.idtracker@ietfa.amsl.com> <989F828F-B427-47A6-A114-4EAEA67D43D7@ericsson.com> <CABcZeBOCzwLDEUyiqkDG0Qqaf652_+j1KBsJQJcJk2Lew_9wCw@mail.gmail.com> <00C5D54E-40C7-4E95-AD2D-9BC60D972685@sn3rd.com> <5bcf3b7c-5501-70f0-4ce7-384f885c39e7@cs.tcd.ie> <6F040DD1-C2E2-4FD2-BB37-E1B6330230BD@ericsson.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <6F040DD1-C2E2-4FD2-BB37-E1B6330230BD@ericsson.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/0e2nfWbKCoGRnsWiL3PTqmDsuE0>
Subject: Re: [TLS] Publication has been requested for draft-ietf-tls-oldversions-deprecate-05
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Oct 2019 00:11:56 -0000

On Wed, Oct 02, 2019 at 02:45:08PM +0000, John Mattsson wrote:
> Hi,
> 
> Sean Turner wrote:
> > "You can change the text, but I do not believe it will change the implementations."
> 
> I would much rather have a future proof RFC that forbids negotiation of DTLS 1.0 with the knowledge that some implementations will temporary violate that, than having an RFC that long time in the future allows negotiation and use of DTLS 1.0.
> 
> 
> Eric Rescorla wrote:
> > "result of some pretty extensive discussion and compromising in rtcweb"
> 
> That does not surprise me, but I think that is part of the problem. These
> things should mainly be decided by the TLS working group.

How?  Just by publishing BCPs, or is the TLS WG also supposed to (e.g.)
watch IETF LCs and complain about use of old protocol versions?

> Draft-ietf-rtcweb-security-arch mandated DTLS 1.0 until Nov 2018. That is
> half a year after the "Deprecating TLSv1.0 and TLSv1.1" draft was
> submitted and almost 7 years after DTLS 1.0 was made obsolete.

Mandating (D)TLS 1.0 is not going to get past the IESG in 2018.  We can
(and are) try to better communicate our expectations for this sort of thing
to the WGs, but it seems unrealistic to expect a 100% success rate from
them, since it's usually not the WG's core competency.  (See also
https://mailarchive.ietf.org/arch/msg/wgchairs/dfe_5obSQm7YK7JzVbmc-MbXNmU .)

> 
> No matter what is done in this particular case, I think the important thing to discuss is how we avoid drafts that only support obsolete versions of TLS/DTLS in the future. According to my understanding of the comments in the thread "Lessons learned from TLS 1.0 and TLS 1.1 deprecation", both me, Kathleen Moriarty, and Martin Thomson understands obsoleted as:
> 
> "New implementations and deployments MUST include support of the new version".
> 
> If this is not clearly defined somewhere, I think it needs to be specified. If it is specified somewhere, IETF needs to make sure to follow apply it.

Even supposing everyone agrees on this, there seem to be some fencepost
issues surrounding "new".  Is a protocol "new" when it gets published as an
RFC, or at WGLC, or even earlier?  I have been pretty laid-back until now
about requiring things coming in front of the IESG to pick up TLS 1.3,
since for the most part they were in progress (including implementations)
before TLS 1.3 implementations were readily available in production-grade
form.  It's about time to tighten up on that, since it's been over a year
since RFC 8446, but I'm not sure I fully understand where you want us to
fall across these boundary conditions.

-Ben