Re: [TLS] Fwd: New Version Notification for draft-moriarty-tls-oldversions-diediedie-00.txt

Artyom Gavrichenkov <ximaera@gmail.com> Sun, 19 August 2018 21:23 UTC

Return-Path: <ximaera@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D559130EB0 for <tls@ietfa.amsl.com>; Sun, 19 Aug 2018 14:23:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5w7B9wkux3AR for <tls@ietfa.amsl.com>; Sun, 19 Aug 2018 14:23:12 -0700 (PDT)
Received: from mail-yw1-xc31.google.com (mail-yw1-xc31.google.com [IPv6:2607:f8b0:4864:20::c31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D792130E32 for <tls@ietf.org>; Sun, 19 Aug 2018 14:23:12 -0700 (PDT)
Received: by mail-yw1-xc31.google.com with SMTP id r3-v6so6177765ywc.5 for <tls@ietf.org>; Sun, 19 Aug 2018 14:23:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Xx12cEiGYUYK+7+HRIMBo50t1L+f8B8SI0e0Xj+68ks=; b=ECV4b2E4SRCc1xk7vAlITCSO6oefh75Xf6RwpK48kgTcnYR3i5XEYNui7Z2AJuXqRL e9t+2i0DQaikGFBJq4FQNwLq0IF726wxltHYDIib4ht/kv6gaPAX7u26PA1n6nAH2N3L QoGq0ux3XSu7W65ClStvfU3U7Z0VSPusrDBhBzFFIE+R2poEckHI90//p2pIGZZLiGt+ RpqucsdhribRXBnQbnmGU+GVv6AOkf2cQnNPeGx99iw4ZTbUOQ99bRqFFH9IvSY6xtY+ L+r/459LueOM3mht/NO6573q9eDEkzEXj69s1gQgHPXswSGPCfcvgBj9Y9Ge+rZkSIYj VdTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Xx12cEiGYUYK+7+HRIMBo50t1L+f8B8SI0e0Xj+68ks=; b=UPz9IPV+T95ddoNFcTav+nVj9F1xSrx8nrQJZSDOsPfQYJ2GyLl8dP9JUlNiuqLiKR Gybpfpohh8UCgVprfnB+rOmxjEz2yOZsTX9WS/lless9lSORvwQotin/5Yy6ZArQPO5i gbilLHM8ARlaHYzRJRQyc1aKc1l9JT3U+D0cBMLDcDDZLCt7F3Oa+eL0pQoFY0vClk44 guVE96rXNIIUZmh37KgJrZOiYIxpBJ1C+LhrUSnS67B88uwlxXUvlCzw/ftmY8Hm+YaT nWU5dx6ViCB80+ay59APZMILYyzqEvTfuSbTKe6yc7L1O8mccYUKdDEm0QnBClrRoUVT OkTw==
X-Gm-Message-State: AOUpUlHMMictgXzQv8Qji+9Lb4UwvGaI9usKaUP4qQOzSsz5aZbx/w/E mkRtyXUpv/Celqhgs6CMf77OB04ni1omnjviZOQ=
X-Google-Smtp-Source: ANB0VdbqBn2+rELDi78Xu0pDg3CnsNwOrFGoxE2UwzxJnBsWqVnNMysH3CTDRuxymx0WQpTGX6kdpo7mDyIcafv0c6s=
X-Received: by 2002:a81:3595:: with SMTP id c143-v6mr1146042ywa.184.1534713790983; Sun, 19 Aug 2018 14:23:10 -0700 (PDT)
MIME-Version: 1.0
References: <152934875755.3094.4484881874912460528.idtracker@ietfa.amsl.com> <CAHbuEH5J-F2cKag02Vx416jsy1N6XZOju28H99WAt71Pc5optg@mail.gmail.com> <CALZ3u+Y0pcfbM3+jLSAsux9NpKgAKeYfV8p282jnpAgobBbSLw@mail.gmail.com> <84460734-cfd5-e66e-f242-e72b10589d56@cs.tcd.ie>
In-Reply-To: <84460734-cfd5-e66e-f242-e72b10589d56@cs.tcd.ie>
From: Artyom Gavrichenkov <ximaera@gmail.com>
Date: Mon, 20 Aug 2018 00:22:59 +0300
Message-ID: <CALZ3u+a5SPtatPaaoCb5u48cXkK3pvruHPctUEV0Jk8BCr=N6Q@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/7YG-eYwnS1gl8WxI50ctkC6oS2Q>
Subject: Re: [TLS] Fwd: New Version Notification for draft-moriarty-tls-oldversions-diediedie-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Aug 2018 21:23:16 -0000

Good day!

On Sun, Aug 19, 2018 at 3:01 AM Stephen Farrell
<stephen.farrell@cs.tcd.ie> wrote:
> 1. The bit you quote above is incomplete

Yep, but the rest of the paragraph just outlines *recommendations*
(or, even better, 'encouragements') while the draft states that "PCI
Council [is] deprecating TLSv1.0 and TLSv1.1 by June 30, 2018".

In the PCI world, *deprecation* is commonly thought to be a
*requirement*, not a recommendation. It is *not recommended* to use
TLSv1.1 (and TLSv1.2) already just by virtue of fact that a more
up-to-date spec version exists.

My point here is that this wording is not, strictly speaking, correct
-- so far, as a matter of fact.

(In fact, PCI DSS even still allows usage of SSLv3 under certain
circumstances -- e.g. POS/POI, -- but said circumstances are strict
enough for us to conveniently omit mentioning those).

> 2. Use of TLSv1.1 seems to be almost non-existent. See the figures
> in the -01 draft for some detail [..]

Maybe, but this is irrelevant to the concern I've raised. If you want
PCI SSC to deprecate TLSv1.1 just because enterprise networks are not
using it, the right way to do it is to share the data with the SSC
along with the research methodology and let them decide.

By the way, at least one issue with the research data referred to in
draft-diediedie-01 which I'm aware of is that the researchers were
hunting for open 443/tcp port only, while the enterprises have a
practice to move deprecated services those enterprises somehow cannot
get rid of to different ports, like, 4443, 4433, 8443 and so on.

To make it absolutely clear, I'm not criticizing the methodology now,
however, I just want to raise a concern that if PCI SSC somehow
decided to deprecate v1.0 (far ahead of IETF) but still keep v1.1
then, *maybe*, they had at some point in time a strong reason to do
so. It's entirely fine to ignore their preferences and let PCI SSC
'catch up' without quoting themselves as a reference, or, vice versa,
it's okay to quote the SSC while sticking to their actual suggestions.

Just in case, I'm not in any way against the draft-diediedie. I
support it, which is why I've voted for the WG adoption before posting
this to the mailing list. I'm just a nerd who wants the document to be
consistent for that matter, and that's it.

--
Töma