Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice

Keith Moore <moore@network-heretics.com> Sat, 28 November 2020 05:05 UTC

Return-Path: <moore@network-heretics.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD8463A101B; Fri, 27 Nov 2020 21:05:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.918
X-Spam-Level:
X-Spam-Status: No, score=-1.918 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pv_wnU9mxMNy; Fri, 27 Nov 2020 21:05:16 -0800 (PST)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A1D13A0F3A; Fri, 27 Nov 2020 21:05:15 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 587C15C0182; Sat, 28 Nov 2020 00:05:15 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Sat, 28 Nov 2020 00:05:15 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=P8md3l wtCiY5fZ28fk6g84VK+pk1CJq0GdQFBNwIdyg=; b=RzG+xCXJRS1NBFwPRAG5pK 7UriY0GXP7bcX9ZiQpyk4u/UMzs/nYnB12YDFDDYJYyZAI0CWDpCiW2xRPvbEtCs sRiCIY4aRVGEJNGfDN/rSKD+QzxWEXc2yAvuUsG3j5xy1dioQAnlqwWf+DdMm2ZJ f1KlDilN5xqS9Fs8hzOs7fE1lux0Svv+XAV3/e9RikhURImHEgfq1Jm/P2FvxSeV cV8Q5ARPpCx6JOEx5jzKQIJXqP98kwmLwav2FxD4JYrzt8VpXUyVrJe4Omi6aaqf IxzNmeLmVJH+zQW5FoYJ7cHwUbSjf2M/F3eADmeP0OqCRUFs1jzn7PyThOUy/FMQ ==
X-ME-Sender: <xms:i9rBX7a7-8VJURxKKv-7rwM8jB8Z4Adtcf_O5ZTDx52M7uzxPka8qQ> <xme:i9rBX6aMkp6QSO_6DGx6zFFaFyGRdWrNXXbZ0R1-eIqrT1FkOeamq1sQCdVtVOLJo odaXIC-H6BRzA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrudehhedgjeelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefuvfhfhffkffgfgggjtgesrgdtre ertdefjeenucfhrhhomhepmfgvihhthhcuofhoohhrvgcuoehmohhorhgvsehnvghtfiho rhhkqdhhvghrvghtihgtshdrtghomheqnecuggftrfgrthhtvghrnhepveefteduieegtd elvddvtddufeejjeffvdefteejieeulefgtdfggedtffektedunecukfhppedutdekrddv vddurddukedtrdduheenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrih hlfhhrohhmpehmohhorhgvsehnvghtfihorhhkqdhhvghrvghtihgtshdrtghomh
X-ME-Proxy: <xmx:i9rBX99eK8MAS08cFrdoOMCW9Xk-8aen1chkeuq-FwedpMUcZDUrmg> <xmx:i9rBXxorKy1O2W0LFYeBOj5rbyiFRxbQ8KUx6EzyijQAFfKpB5y9MQ> <xmx:i9rBX2p6Voi7PcO3xB7-vlLXdJHESvG46FDRJPbuknuX9Mroptnuag> <xmx:i9rBX7C_bh7uK2rpfnwvXHSkiKsip17-9FzfjvWq_LoMVEAnkYlYmA>
Received: from [192.168.1.85] (108-221-180-15.lightspeed.knvltn.sbcglobal.net [108.221.180.15]) by mail.messagingengine.com (Postfix) with ESMTPA id A5D913280067; Sat, 28 Nov 2020 00:05:14 -0500 (EST)
To: Eric Rescorla <ekr@rtfm.com>
Cc: last-call@ietf.org, draft-ietf-tls-oldversions-deprecate@ietf.org, tls-chairs <tls-chairs@ietf.org>, tls@ietf.org
References: <160496076356.8063.5138064792555453422@ietfa.amsl.com> <49d045a3-db46-3250-9587-c4680ba386ed@network-heretics.com> <CABcZeBPCccfDuGyZC-y88-dapjWYy57YRWWK3vsFOGM5Bxa+8Q@mail.gmail.com> <584c7749-6986-0329-873c-2d1ff8b55251@network-heretics.com> <CABcZeBNmzSV38Hm+cpas=hAO3RvV2V6nCkRUM2NkBM8mG7bdBg@mail.gmail.com> <7e1af512-ba45-5d9a-6538-518179ab2c3a@network-heretics.com> <CABcZeBMW9H=mxRyY=2OKAP1FkGpaniuH2FXCW5mUcAVx=GVRgA@mail.gmail.com>
From: Keith Moore <moore@network-heretics.com>
Message-ID: <2ff1fb69-866d-1bdf-b04c-ffd65f331dc8@network-heretics.com>
Date: Sat, 28 Nov 2020 00:05:13 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <CABcZeBMW9H=mxRyY=2OKAP1FkGpaniuH2FXCW5mUcAVx=GVRgA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------06280CC63DE0125025E98183"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/1-_GJkVw6EyZdkc_XoCL82i8tPc>
Subject: Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Nov 2020 05:05:24 -0000

On 11/27/20 11:58 PM, Eric Rescorla wrote:

>     To clarify, my suggestion was that https with TLS < 1.2 be treated as
>     insecure, not as neither secure nor insecure or any kind of "in
>     between".
>
>
> Well, the problem is that it is secure from the perspective of the 
> site author
> but insecure from the perspective of the client. That's not going to 
> end well
> for the reasons I indicated above.

Well that is an interesting point that I missed earlier.   But I think 
the situation will be the same if any of the obvious workarounds is 
used, like a plugin or proxy.

Keith