Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice

Gary Gapinski <ietf@garygapinski.com> Thu, 03 December 2020 02:33 UTC

Return-Path: <ietf@garygapinski.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE7633A08A9 for <tls@ietfa.amsl.com>; Wed, 2 Dec 2020 18:33:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d64Z7H7lZSdm for <tls@ietfa.amsl.com>; Wed, 2 Dec 2020 18:33:44 -0800 (PST)
Received: from server276.com (ns2.server276.com [192.252.145.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D788B3A08BB for <tls@ietf.org>; Wed, 2 Dec 2020 18:33:43 -0800 (PST)
Received: (qmail 25207 invoked by uid 503); 3 Dec 2020 02:33:41 -0000
Received: from unknown (HELO nuc7i7bnh.650ncr.com) (gary@garygapinski.com@204.209.68.3) by server276.com with ESMTPA; 3 Dec 2020 02:33:41 -0000
To: "Ackermann, Michael" <MAckermann@bcbsm.com>, "STARK, BARBARA H" <bs7652@att.com>, 'Eliot Lear' <lear=40cisco.com@dmarc.ietf.org>, 'Peter Gutmann' <pgut001@cs.auckland.ac.nz>
Cc: "'draft-ietf-tls-oldversions-deprecate@ietf.org'" <draft-ietf-tls-oldversions-deprecate@ietf.org>, "'last-call@ietf.org'" <last-call@ietf.org>, "'tls@ietf.org'" <tls@ietf.org>, "'tls-chairs@ietf.org'" <tls-chairs@ietf.org>
References: <160496076356.8063.5138064792555453422@ietfa.amsl.com> <49d045a3-db46-3250-9587-c4680ba386ed@network-heretics.com> <b5314e17-645a-22ea-3ce9-78f208630ae1@cs.tcd.ie> <1606782600388.62069@cs.auckland.ac.nz> <0b72b2aa-73b6-1916-87be-d83e9d0ebd09@cs.tcd.ie> <1606814941532.76373@cs.auckland.ac.nz> <36C74BF4-FF8A-4E79-B4C8-8A03BEE94FCE@cisco.com> <SN6PR02MB4512D55EC7F4EB00F5338631C3F40@SN6PR02MB4512.namprd02.prod.outlook.com> <1606905858825.10547@cs.auckland.ac.nz> <EEFAB41B-1307-4596-8A2E-11BF8C1A2330@cisco.com> <BYAPR14MB31763782200348F502A70DA4D7F30@BYAPR14MB3176.namprd14.prod.outlook.com> <SN6PR02MB4512B95842251AE4C04B199CC3F30@SN6PR02MB4512.namprd02.prod.outlook.com> <BYAPR14MB31765FD24F4DFD90F81AEE2BD7F30@BYAPR14MB3176.namprd14.prod.outlook.com> <SN6PR02MB4512CBA9E4BF6AAC778BC674C3F30@SN6PR02MB4512.namprd02.prod.outlook.com> <DM6PR14MB31789349B737961728B7691ED7F30@DM6PR14MB3178.namprd14.prod.outlook.com>
From: Gary Gapinski <ietf@garygapinski.com>
Message-ID: <9b669e76-2dbc-72d3-7c9a-81d34b6837b0@garygapinski.com>
Date: Wed, 02 Dec 2020 21:33:01 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <DM6PR14MB31789349B737961728B7691ED7F30@DM6PR14MB3178.namprd14.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------08A217B0A05FB41F9728AC8A"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/8NzisyFZn1mQB4HjeRQQPkIAKAc>
Subject: Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2020 02:33:46 -0000

On 12/2/20 6:00 PM, Ackermann, Michael wrote:
> I don't disagree with anything you say on the TLS subject,  which is essentially that prior versions of TLS may be considered insecure, etc.  and should be deprecated.....

RFC 2119 equates, semantically, at least in English, MUST NOT with 
prohibition (_not_ deprecation).

draft-ietf-tls-oldversions-deprecate-09.txt uses MUST NOT in §4 and §5.

It does use the term "Deprecation": prominently, and likely inadvisedly, 
in §2. Re-worded, the title of §2 should be "Support for Prohibition" 
(particularly as its prior sibling is §1.2 "Terminology", which is 
inescapable boiler-plate and likely is invisible to any RFC readers).

I cannot resist citing H. L. Mencken's definition of Puritanism here.

> My associated point is that Enterprises are generally not aware of this and that it is not currently on our Planning or Budget Radars.

Perhaps such lack of awareness could be considered as the difference 
between (Aquinian) vincible and invincible ignorance.

Whether such is a mortal or venial sin, or no sin at all, could be 
considered in light of risk evaluation and management. Or one's 
tolerance for the wages of sin. Steely determination for continued use 
of flawed protocols can be admired while simultaneously lamented.

In other words, is a _prohibition_ (à la, e.g., PCI DSS) of TLS versions 
prior to TLS 1.2 (and prior to 1.3 for that matter) sufficient to demand 
upside-down crucifixion for failure to comply, or something more 
family-oriented. In either case, perhaps an appendix expressing the 
tension between prohibition and tolerance might suffice, rather than 
watering down §4 and §5. But such an appendix would be necessary in any 
normative RFC, so, in my opinion, the draft can be published without 
such an appendix.