[TLS] Results of Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice

Benjamin Kaduk <kaduk@mit.edu> Tue, 08 December 2020 14:57 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CD443A1026; Tue, 8 Dec 2020 06:57:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tmqaDdvWkkNB; Tue, 8 Dec 2020 06:57:03 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CC903A0FF3; Tue, 8 Dec 2020 06:57:01 -0800 (PST)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 0B8Euril027437 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 8 Dec 2020 09:56:57 -0500
Date: Tue, 8 Dec 2020 06:56:53 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: last-call@ietf.org
Cc: sean@sn3rd.com, tls@ietf.org, tls-chairs@ietf.org, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, draft-ietf-tls-oldversions-deprecate@ietf.org
Message-ID: <20201208145653.GL64351@kduck.mit.edu>
References: <160496076356.8063.5138064792555453422@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <160496076356.8063.5138064792555453422@ietfa.amsl.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2QHMMX9g5vpFJaeH0okj40N3WjQ>
Subject: [TLS] Results of Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Dec 2020 14:57:12 -0000

Hi all,

Thank you for the robust discussion on this last-call thread (just a bit past
100 messages so far), including the interesting discussion (though arguably a
tangent to the document at hand by the end) about how the IETF can better
provide operational guidance and support robust and sustainable device
ecosystems and lifecycles.  While extended implementation guidance seems out
of scope for this document, reference(s) to such guidance elsewhere may be
useful, if the appropriate material to reference is located.

Though there were some relatively minor issues reported (Tom Petch noted a
botched reference or two, the gen-art and ops-dir reviews found some nits, and
John Klensin advocated for greater clarity on the relationship between RFC
5469 and RFC 5246), the bulk of the discussion focused on the potential harm
that would be caused by an immediate and universal move to TLS 1.2 as the
minimum version of TLS used at runtime or the removal of support for older TLS
versions from major software implementations such as TLS libraries or
browsers.

We heard about many classes of deployed systems that are in practice not
upgradeable (including due to the risk of breakage introduced by the update
process), and the knock-on effects on the local ecosystems that contain such
devices, including both where there are old TLS clients and where there are
old TLS servers, and a desire to have more text to acknowledge these use cases
and potentially indicate workarounds for them.  Many of these facts were
known to and considered by the WG at the decision to go forward with this
document around the time of IETF 102 (the benefits to the ecosystem were
deemed to outweight the breakage that would be incurred), but hearing it
again (and all in one place) is still useful.

We were also reminded that not only does the TLS ecosystem extend beyond the
Web, it also extends even to systems not connected to the Internet and
divorced from domain-name-based X.509 PKIs.  Such systems might (for example)
use RFC 1918 address space with iPAddress certificates, or pinned self-signed
certificates for TLS authentication.

A repeating theme was a desire by some participants to have some text as a
"hook" that indicates to sites that have already-fielded equipment
incompatible with the recommendations of this document that it is okay to
disregard its advice.  Other participants, however, expressed the sentiment
that a clear and unambiguous statement of best practices is preferred, with
many parties (presumably not the same ones that would benefit from the "hook")
having no difficulty in diverging from IETF guidelines.  Sentiments were
especially mixed as to the advisability of attempting to enumerate specific
exception cases where dropping old TLS versions would be harmful, as might
occur in such "hook" text.

There was also a proposal to keep TLS 1.0 and 1.1 enabled but treat it
identically to cleartext, though subsequent discussion concluded that
intentionally setting up a scenario where client and server disagree about
whether or not the traffic is secured seems ill-advised.

We heard about several classes of deployment for which an attempt to make this
change "overnight" would be a non-starter, with lead times measured in years
being necessary in order to achieve changes of this nature.  Fortunately, it
was clarified that publication of this document as a BCP would not require
such instant change; rather, this is the IETF describing what we believe to be
the best practices at the present time, with no immediate obligation to adhere
to such practices.  A transition period for moving from the present state of
any given deployment to the recommended state is called for, and this document
describes the motivation for the change so that each site can make an
assessment of their own risk and exposure, and thus, the pace at which to
transition.

In light of the expressed desire for long lead times in changes of this
nature, the question was raised as to when TLS 1.2 will be due for a similar
treatment, including whether it is advisable to choose and start advertising a
date for such a change now.  I note that TLS 1.3 features significant
improvements over TLS 1.2 on many axes, so I will encourage consideration
of this question in the TLS WG.


In conclusion, my assessment is that there is general IETF consensus to
publish this document in its current form, including the use of "MUST NOT"
language for the old TLS versions.  However, in the interest of clarity, we
should also provide some text to reiterate that this document reflects the
guidance from the IETF as to what are currently believed to be best practices
and why, but that whether or not (and how quickly) to adhere to the
IETF-provided best practices remains at the discretion of implementors and
operators.  Accordingly, I propose to add a new section just before the
Security Considerations section:

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

7. Operational Considerations

This document is part of BCP 195, and as such reflects the understanding of
the IETF (at the time of its publication) as to the best practices for TLS
and DTLS usage.

Though TLS 1.1 has been obsolete since the publication of RFC 5246 in 2008,
and DTLS 1.0 has been obsolete since the publication of RFC 6347 in 2012,
there may remain some systems in operation that do not support (D)TLS 1.2 or
higher.  Adopting the practices recommended by this document for any systems
that need to communicate with the aforementioned class of systems will cause
failure to interoperate.  However, disregarding the recommendations of this
document in order to continue to interoperate with the aforementioned class of
systems incurs some amount of risk.  The nature of the risks incurred by
operating in contravention to the recommendations of this document are
discussed in Sections 2 and 3, and knowledge of those risks should be used
along with any potential mitigating factors and the risks inherent to
updating the systems in question when deciding how quickly to adopt the
recommendations specified in this document.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Thanks again for all the discussion here; it was quite productive.

-Ben