Re: [TLS] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice

Peter Gutmann <> Tue, 01 December 2020 00:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 109463A12B9 for <>; Mon, 30 Nov 2020 16:32:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.917
X-Spam-Status: No, score=-1.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id n9LQxD8RcUdc for <>; Mon, 30 Nov 2020 16:32:02 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3A3DF3A12AF for <>; Mon, 30 Nov 2020 16:32:01 -0800 (PST)
Received: from ( []) (Using TLS) by with ESMTP id au-mta-88-4WA12uxvP_uO2Y3N2LmMWg-1; Tue, 01 Dec 2020 11:30:09 +1100
X-MC-Unique: 4WA12uxvP_uO2Y3N2LmMWg-1
Received: from PSXP216CA0036.KORP216.PROD.OUTLOOK.COM (2603:1096:300:5::22) by (2603:10c6:200:33::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.23; Tue, 1 Dec 2020 00:30:04 +0000
Received: from (2603:1096:300:5:cafe::37) by (2603:1096:300:5::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.20 via Frontend Transport; Tue, 1 Dec 2020 00:30:03 +0000
X-MS-Exchange-Authentication-Results: spf=none (sender IP is;; dkim=none (message not signed) header.d=none;; dmarc=none action=none
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3611.23 via Frontend Transport; Tue, 1 Dec 2020 00:30:02 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 1 Dec 2020 13:30:00 +1300
Received: from ([]) by ([]) with mapi id 15.00.1497.007; Tue, 1 Dec 2020 13:30:00 +1300
From: Peter Gutmann <>
To: Stephen Farrell <>, Keith Moore <>, "" <>
CC: "" <>, "" <>, "" <>
Thread-Topic: [TLS] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
Thread-Index: AQHWtuemkBcnxjhwjkukZnBJ0gfqXKnb932AgAD1RoCABJdrIQ==
Date: Tue, 1 Dec 2020 00:29:59 +0000
Message-ID: <>
References: <> <>, <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 00f7bc7d-0636-431c-ce29-08d895903e60
X-MS-TrafficTypeDiagnostic: MEXPR01MB1317:
X-Microsoft-Antispam-PRVS: <>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0
X-Microsoft-Antispam-Message-Info: tr5wbWkQEcG7+CJkf0D5HlCFB83RrjsfSIV8kIwj6fMA+yuWzjbGcvtcNJkAWmEiwwiDWz7Xa1aFm4FSrpHchy6Xz96h1JuoZNQLZ3mbWoh/N8vkd3RKKA8JFkHZuE+cANRFynuEx0t2JybJSf65J2Js7cIbL1CgkCiIkWkiv5s0PVXPrJkQTDVl6K3CH5ITQ0Kea4KBXSxKl+GapGB/C31podFUFRsDnGSWpcPPZxoFvItVqyVEYcpmvKBDWUP0zJNjm2UtZGU+U+LrapFId+e1SZOWOYbrrAxrMooua72YjR5RGMl+O5M1SSLWSdsqpa+9AexkFZ1WpF9IHrRgTbTz2GM0FbbvDoMqOIUOLgUSWGEp/NOjASufI88/w5SCNL6uHAdb1E4RZ6ZTjCEKBQ==
X-Forefront-Antispam-Report: CIP:; CTRY:NZ; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM;;; CAT:NONE; SFS:(4636009)(396003)(39860400002)(136003)(346002)(376002)(46966005)(2616005)(26005)(186003)(336012)(70586007)(83380400001)(66574015)(54906003)(110136005)(82310400003)(36906005)(786003)(316002)(5660300002)(70206006)(478600001)(4326008)(356005)(82740400003)(2906002)(7636003)(86362001)(8676002)(47076004)(8936002); DIR:OUT; SFP:1101
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Dec 2020 00:30:02.3408 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 00f7bc7d-0636-431c-ce29-08d895903e60
X-MS-Exchange-CrossTenant-Id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d1b36e95-0d50-42e9-958f-b63fa906beaa; Ip=[]; Helo=[]
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MEXPR01MB1317
Authentication-Results:; auth=pass smtp.auth=CAU17A13
X-Mimecast-Spam-Score: 0
Content-Language: en-NZ
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [TLS] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 01 Dec 2020 00:32:04 -0000

Stephen Farrell <> writes:

>In earlier iterations of the draft we included some survey results for TLS
>version usage in web, mail and OSes. I think your argument to special-case
>embedded systems or systems without s/w update would be a lot stronger if you
>or someone else had data to offer about the prevalence of these systems and
>the TLS versions they support.

That's more or less impossible since they're invisible to the public Internet.
Or at least they're supposed to be, large numbers of them are publicly visible
when they shouldn't be, but in any case at best you're going to get a lot of
anecdotal evidence rather than anything comprehensive.

However I think your comment points out the overall problem:

  usage in web, mail and OSes

This means there's no consideration at all of use in embedded/SCADA/whatever.
So I think the text should include wording to the effect that it applies to
public Internet use but not to embedded/SCADA/etc for which very different
considerations apply.  For example the issue in the previous message with
regard to the CA/B BR is mutually exclusive with embedded use, systems like
that will pretty much never see a cert from a CA/B CA.  Conversely, they'll
have certs for RFC 1918 addresses and EUIs and whatnot which shouldn't (but
probably have been) issued by public CAs.