Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1.1"

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Fri, 03 May 2019 14:03 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C466D1200CD for <tls@ietfa.amsl.com>; Fri, 3 May 2019 07:03:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9hajHFox-T3S for <tls@ietfa.amsl.com>; Fri, 3 May 2019 07:03:35 -0700 (PDT)
Received: from mail-oi1-x232.google.com (mail-oi1-x232.google.com [IPv6:2607:f8b0:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B299812002F for <tls@ietf.org>; Fri, 3 May 2019 07:03:35 -0700 (PDT)
Received: by mail-oi1-x232.google.com with SMTP id t70so4492224oif.5 for <tls@ietf.org>; Fri, 03 May 2019 07:03:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=copfu2SMO4qRMMmgRez2SQvK420uvhUp3WV/e/P8YG0=; b=fy69YL01TG4Iv/B3kfPvtlhGCUxG1TwtveW3uC23miTCkHsefw4BMtkLI2bWKgGHRf uCoLca6ROV4ySAG1UZhszgpEfJ4kEuwOnkiTk4wyHw1yl22RcxrNcN/u0AxhOnMS1+pk JrdKJMpzCXy8FmEa6GJq18UlvU+xVHKwPQPd0I3BgSPE4M8F7kOOyGKW/8jVYkBa3n7J 89M4m1GlAJv2xRYnJHo3wSZMgd3bOL/4fEJASVfOohW7ckj/4Xm/ulQzrYkT1k0vu6X2 EI7hzrdir0DwWOGN5rsiw1LEcbobZJXtbcE2bzl0UrWDOPNZcLmbv+9ns9cHVqS3Ed7q 75qw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=copfu2SMO4qRMMmgRez2SQvK420uvhUp3WV/e/P8YG0=; b=N2HO0MQQBFkcXRR1GAmKrpil3BjMgI3zSujsH/SiXl7++vPyYlAGSYEXTxKqilm6HU gEd96zW58ESQrtDyp8QCNcZKhQt7Bb7XAe/6z1SrWLHMEO2E5p6kMUsZqcUIiugkLID9 9K/+Nwus/rJ6YCqEKvYL7qCWo+cSqSlp0mil0kuzciuEmzAMNoZb3Tpf4TJiE+qOepgr zMfVtEWCJ7IYAITAKkqgUFsVDKsHsCd3a3xxUm3pgMVKS6L53PmjYKNbqqpM4wa+VD0R d0+4QsiQmwmsdj6AQIisXp4iAAnUR7+QFDHzJYjUkpTp3BHnh2L+gDoT+wImuVXMsuaq ziKQ==
X-Gm-Message-State: APjAAAWHANLTqIBvMg/4ugbO0Xm46gNbnY1yjayhTe9iUjyahnwHgKin o7PCQGZ8DhkjgoNc9jxhhsCHMDcV4o33RJCWqJm+RGj2
X-Google-Smtp-Source: APXvYqyDdCn6Klq8vdQn2ED6h+8WBT/0xyruJ9PhBQThHPkszmmeFnOkPbASK8Nnn0bOho0sEao4ud5fbUuz0Sp5a/M=
X-Received: by 2002:aca:5a07:: with SMTP id o7mr5981434oib.114.1556892214855; Fri, 03 May 2019 07:03:34 -0700 (PDT)
MIME-Version: 1.0
References: <28511b10-8f6a-4394-95a9-5188130f7b58@www.fastmail.com> <4d34a22a-3d77-4fe8-9c8e-e2128a7a80f8@www.fastmail.com> <CAHbuEH5S+xdHTQBRDtNZFaNoqhBxm6f75N=piGWk_ZERQqp6gg@mail.gmail.com> <baa013d0-6fa0-47cf-b2a2-cfc8eed68162@www.fastmail.com>
In-Reply-To: <baa013d0-6fa0-47cf-b2a2-cfc8eed68162@www.fastmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Fri, 3 May 2019 10:02:57 -0400
Message-ID: <CAHbuEH7_Xf9xQH3X4Fk0qNDfCBCHYr1j7+8ovVVxOEfJ=gHeoQ@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006b9bcf0587fc370d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/6RoU_kKQ99vyAWeDwnZLDOZjk6M>
Subject: Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1.1"
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 May 2019 14:03:38 -0000

On Thu, May 2, 2019 at 7:51 PM Martin Thomson <mt@lowentropy.net> wrote:

> Thanks Kathleen, these look like good changes.
>
> Nits in the proposed BCP195 section: Lose the "p" in mpost and s/off of/on/
>

Thank you, Martin!


>
> On Fri, May 3, 2019, at 01:12, Kathleen Moriarty wrote:
> > Thank you for your feedback in this review. Responses inline as to how
> > I propose it is addressed:
> >
> > On Sat, Apr 13, 2019 at 12:16 AM Martin Thomson <mt@lowentropy.net>
> wrote:
> > > Section 1.1 doesn't say *how* those listed documents are updated.
> Might pay to include a few works on how.
> >
> > Thank you, that was helpful feedback. I changed the introduction text
> > as follows:
> > OLD:
> > This document updates these RFCs that normatively reference TLSv1.0 or
> > TLSv1.1 or DTLS1.0 and have not been obsoleted.
> > NEW:
> >  This document updates the following RFCs that normatively reference
> > TLSv1.0 or TLSv1.1 or DTLS1.0. The update is to obsolete usage of these
> > older versions. Fallback to these versions are prohibited through this
> > update.
> >
> > >  Section 2 can be cut down a lot. The quote from another document is
> longer than the rest of the text. In many ways, saying that the IETF is
> moving last is not a great thing to memorialize in RFC, as much as it is
> useful in an Internet-Draft or in argumentation in support of publication
> of the doc.
> >
> > A bunch has been cut out already, but I propose also cutting out the
> > following text to address your specific point (well taken):
> > 1st paragraph and last 2.
> >
> > REMOVE:
> >  Industry has actively followed guidance provided by NIST and the PCI
> >  Council to deprecate TLSv1.0 and TLSv1.1 by June 30, 2018. TLSv1.2
> >  should remain a minimum baseline for TLS support at this time.
> >
> >  The Canadian government treasury board have also mandated that these
> >  old versions of TLS not be used.
> >
> >  Various companies and web sites have announced plans to deprecate
> >  these old versions of TLS.
> >
> >
> > >  The title of Section 3 could be a bit clearer.
> > Proposed:
> > SHA-1 Usage Problematic in TLSv1.0 and TLSv1.1
> >
> > If you have a more terse suggestion, please post. I agree this should
> > be more clear.
> > >
> > >  It might pay to explain what RFC 7525 is in Section 6. Why does that
> document warrant special attention over the 70-odd other ones.
> >
> > Good point, how about the following text:
> >
> > PROPOSED:
> > RFC7525 is BCP195, "Recommendations for Secure Use of Transport Layer
> > Security (TLS) and Datagram Transport Layer Security (DTLS)", is the
> > mpost recent best practice document for implementing TLS and was based
> > off of TLSv1.2. At the time of publication, TLSv1.0 and TLSv1.1 had not
> > yet been deprecated. As such, this document is called out specifically
> > to update text implementing the deprecation recommendations of this
> > document.
> >
> > >
> > >  Otherwise, publish this.
> >
> > Thank you!
> >
> > I'll continue through the rest of the messages, but may have a delay
> > when tending to other responsibilities.
> > I am putting the proposals into a new version to upload to the git
> > repository.
> >
> > Best regards,
> > Kathleen
> >
> > >
> > >
> > >
> > >  On Sat, Apr 13, 2019, at 09:28, Christopher Wood wrote:
> > >  > This is the working group last call for the "Deprecating TLSv1.0
> and
> > >  > TLSv1.1” draft available at:
> > >  >
> > >  >
> https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/
> > >  >
> > >  > Please review the document and send your comments to the list by
> April 26, 2019.
> > >  >
> > >  > Thanks,
> > >  > Chris, Joe, and Sean
> > >  >
> > >  > _______________________________________________
> > >  > TLS mailing list
> > >  > TLS@ietf.org
> > >  > https://www.ietf.org/mailman/listinfo/tls
> > >  >
> > >
> > >  _______________________________________________
> > >  TLS mailing list
> > > TLS@ietf.org
> > > https://www.ietf.org/mailman/listinfo/tls
> >
> >
> > --
> >
> > Best regards,
> > Kathleen
>


-- 

Best regards,
Kathleen