Re: [TLS] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice

Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 01 December 2020 00:32 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 109463A12B9 for <tls@ietfa.amsl.com>; Mon, 30 Nov 2020 16:32:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.917
X-Spam-Level:
X-Spam-Status: No, score=-1.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n9LQxD8RcUdc for <tls@ietfa.amsl.com>; Mon, 30 Nov 2020 16:32:02 -0800 (PST)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [124.47.189.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A3DF3A12AF for <tls@ietf.org>; Mon, 30 Nov 2020 16:32:01 -0800 (PST)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (mail-sy4aus01lp2174.outbound.protection.outlook.com [104.47.71.174]) (Using TLS) by relay.mimecast.com with ESMTP id au-mta-88-4WA12uxvP_uO2Y3N2LmMWg-1; Tue, 01 Dec 2020 11:30:09 +1100
X-MC-Unique: 4WA12uxvP_uO2Y3N2LmMWg-1
Received: from PSXP216CA0036.KORP216.PROD.OUTLOOK.COM (2603:1096:300:5::22) by MEXPR01MB1317.ausprd01.prod.outlook.com (2603:10c6:200:33::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.23; Tue, 1 Dec 2020 00:30:04 +0000
Received: from PU1APC01FT043.eop-APC01.prod.protection.outlook.com (2603:1096:300:5:cafe::37) by PSXP216CA0036.outlook.office365.com (2603:1096:300:5::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.20 via Frontend Transport; Tue, 1 Dec 2020 00:30:03 +0000
X-MS-Exchange-Authentication-Results: spf=none (sender IP is 130.216.95.208) smtp.mailfrom=cs.auckland.ac.nz; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cs.auckland.ac.nz
Received: from uxcn13-ogg-e.UoA.auckland.ac.nz (130.216.95.208) by PU1APC01FT043.mail.protection.outlook.com (10.152.253.6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3611.23 via Frontend Transport; Tue, 1 Dec 2020 00:30:02 +0000
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-ogg-e.UoA.auckland.ac.nz (10.6.2.8) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 1 Dec 2020 13:30:00 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.5]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.5]) with mapi id 15.00.1497.007; Tue, 1 Dec 2020 13:30:00 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Keith Moore <moore@network-heretics.com>, "last-call@ietf.org" <last-call@ietf.org>
CC: "draft-ietf-tls-oldversions-deprecate@ietf.org" <draft-ietf-tls-oldversions-deprecate@ietf.org>, "tls-chairs@ietf.org" <tls-chairs@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
Thread-Index: AQHWtuemkBcnxjhwjkukZnBJ0gfqXKnb932AgAD1RoCABJdrIQ==
Date: Tue, 1 Dec 2020 00:29:59 +0000
Message-ID: <1606782600388.62069@cs.auckland.ac.nz>
References: <160496076356.8063.5138064792555453422@ietfa.amsl.com> <49d045a3-db46-3250-9587-c4680ba386ed@network-heretics.com>, <b5314e17-645a-22ea-3ce9-78f208630ae1@cs.tcd.ie>
In-Reply-To: <b5314e17-645a-22ea-3ce9-78f208630ae1@cs.tcd.ie>
Accept-Language: en-NZ, en-GB, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 00f7bc7d-0636-431c-ce29-08d895903e60
X-MS-TrafficTypeDiagnostic: MEXPR01MB1317:
X-Microsoft-Antispam-PRVS: <MEXPR01MB1317611C3F89BBCB5CE75653EEF40@MEXPR01MB1317.ausprd01.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0
X-Microsoft-Antispam-Message-Info: tr5wbWkQEcG7+CJkf0D5HlCFB83RrjsfSIV8kIwj6fMA+yuWzjbGcvtcNJkAWmEiwwiDWz7Xa1aFm4FSrpHchy6Xz96h1JuoZNQLZ3mbWoh/N8vkd3RKKA8JFkHZuE+cANRFynuEx0t2JybJSf65J2Js7cIbL1CgkCiIkWkiv5s0PVXPrJkQTDVl6K3CH5ITQ0Kea4KBXSxKl+GapGB/C31podFUFRsDnGSWpcPPZxoFvItVqyVEYcpmvKBDWUP0zJNjm2UtZGU+U+LrapFId+e1SZOWOYbrrAxrMooua72YjR5RGMl+O5M1SSLWSdsqpa+9AexkFZ1WpF9IHrRgTbTz2GM0FbbvDoMqOIUOLgUSWGEp/NOjASufI88/w5SCNL6uHAdb1E4RZ6ZTjCEKBQ==
X-Forefront-Antispam-Report: CIP:130.216.95.208; CTRY:NZ; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:uxcn13-ogg-e.UoA.auckland.ac.nz; PTR:natgate1-1.auckland.ac.nz; CAT:NONE; SFS:(4636009)(396003)(39860400002)(136003)(346002)(376002)(46966005)(2616005)(26005)(186003)(336012)(70586007)(83380400001)(66574015)(54906003)(110136005)(82310400003)(36906005)(786003)(316002)(5660300002)(70206006)(478600001)(4326008)(356005)(82740400003)(2906002)(7636003)(86362001)(8676002)(47076004)(8936002); DIR:OUT; SFP:1101
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Dec 2020 00:30:02.3408 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 00f7bc7d-0636-431c-ce29-08d895903e60
X-MS-Exchange-CrossTenant-Id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d1b36e95-0d50-42e9-958f-b63fa906beaa; Ip=[130.216.95.208]; Helo=[uxcn13-ogg-e.UoA.auckland.ac.nz]
X-MS-Exchange-CrossTenant-AuthSource: PU1APC01FT043.eop-APC01.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MEXPR01MB1317
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CAU17A13 smtp.mailfrom=pgut001@cs.auckland.ac.nz
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/3d-T8ZMb2w_z94kXDk72lPIdQVQ>
Subject: Re: [TLS] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2020 00:32:04 -0000

Stephen Farrell <stephen.farrell@cs.tcd.ie> writes:

>In earlier iterations of the draft we included some survey results for TLS
>version usage in web, mail and OSes. I think your argument to special-case
>embedded systems or systems without s/w update would be a lot stronger if you
>or someone else had data to offer about the prevalence of these systems and
>the TLS versions they support.

That's more or less impossible since they're invisible to the public Internet.
Or at least they're supposed to be, large numbers of them are publicly visible
when they shouldn't be, but in any case at best you're going to get a lot of
anecdotal evidence rather than anything comprehensive.

However I think your comment points out the overall problem:

  usage in web, mail and OSes

This means there's no consideration at all of use in embedded/SCADA/whatever.
So I think the text should include wording to the effect that it applies to
public Internet use but not to embedded/SCADA/etc for which very different
considerations apply.  For example the issue in the previous message with
regard to the CA/B BR is mutually exclusive with embedded use, systems like
that will pretty much never see a cert from a CA/B CA.  Conversely, they'll
have certs for RFC 1918 addresses and EUIs and whatnot which shouldn't (but
probably have been) issued by public CAs.

Peter.