Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1.1"

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 02 May 2019 15:12 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94C491203E2 for <tls@ietfa.amsl.com>; Thu, 2 May 2019 08:12:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mgAjFzQ_sHWR for <tls@ietfa.amsl.com>; Thu, 2 May 2019 08:12:43 -0700 (PDT)
Received: from mail-oi1-x22b.google.com (mail-oi1-x22b.google.com [IPv6:2607:f8b0:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9ED5E1203C2 for <tls@ietf.org>; Thu, 2 May 2019 08:12:30 -0700 (PDT)
Received: by mail-oi1-x22b.google.com with SMTP id l203so1982612oia.3 for <tls@ietf.org>; Thu, 02 May 2019 08:12:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ThkRZwZCtrlqD/BvAIc7SUxgFLDnOygLI0t9IBXf0W8=; b=toyMCLhJjm6EhSXMcr2V6EdbckKGSS6SsbeynkV9R+oeK7ETWh17JfDDIgfMLO8EPd /1XhTyrZwvX1Fudddimn1WX/TN9WCNdo4NEv3rX0iCHRXYFPce5WHOg2UbDD1nX6U3Zq PCSRBs4C/Xjzm2WdvOmLYZlLmV6gojRwKfJ5l+Ml20aoKoVRxJu10qnn5blj/6k5M4wi Jdgh7XAufxZVSo68ZS9QTfD5mbNtDSltrVO1OKo3IqF1EkOT0LaaAUUkoQ16avehYs5/ vwJNsb2DTvauMJ9le3IWw0b2D8ZJoJqlQMnlTYjisOv7B9akpvM9ROArNGeLMJZDiNtL Wzdg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ThkRZwZCtrlqD/BvAIc7SUxgFLDnOygLI0t9IBXf0W8=; b=h3TavZbHjA/O6V3D2dEhrOrBSq5ocl9ae9owof3gmLrIb+pspjUU7adykI2bi4+38v OkBW8g/NwtNC/Zp8klI2s331FBrcHSg7w5T5ye1W4LqY1y2w/4fF2k89AYgp82Jjcemo kRbT9gvpjW1TFv5E+1in84T0dMK17fcAhaoMUedbQVNOBo/ol7E9Z+TZl72BOAkAlAdW uJBAJ8wCFTnccPcJzHXxC0Lh/5k6n1fgxxcbkL+rTUgRyIC2D9F465kB5juysYgW2WtU 7aRLYLfdV0jB4naHNgmpruRHNQ3j8cvN2lWfOh9kOFVcVHBreEsouD+0ItaNR+JszmCd O7/g==
X-Gm-Message-State: APjAAAXsb8hQ4L+XU7+yAtH+0TZsTY/tRiv3x/Sy4Rv8ElIukMYNBdmf 5A48LXaz824tvzGtiEcUNd2Pn9O4aIlNI0x0XnU=
X-Google-Smtp-Source: APXvYqz1Fn37VT5sxRHUX4KnN2boF3H3sPpSoiMOTxYXJbRRI/LCUTynEiDsQ8nDzEqFUJn77p2OhErKMvCS9rw/5gc=
X-Received: by 2002:aca:b156:: with SMTP id a83mr2549505oif.119.1556809949942; Thu, 02 May 2019 08:12:29 -0700 (PDT)
MIME-Version: 1.0
References: <28511b10-8f6a-4394-95a9-5188130f7b58@www.fastmail.com> <4d34a22a-3d77-4fe8-9c8e-e2128a7a80f8@www.fastmail.com>
In-Reply-To: <4d34a22a-3d77-4fe8-9c8e-e2128a7a80f8@www.fastmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Thu, 2 May 2019 11:11:53 -0400
Message-ID: <CAHbuEH5S+xdHTQBRDtNZFaNoqhBxm6f75N=piGWk_ZERQqp6gg@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000c992d0587e91005"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/90iTmi1gEM0uI3QTzTduHR8HY8U>
Subject: Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1.1"
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 May 2019 15:12:46 -0000

Thank you for your feedback in this review.  Responses inline as to how I
propose it is addressed:

On Sat, Apr 13, 2019 at 12:16 AM Martin Thomson <mt@lowentropy.net> wrote:

> Section 1.1 doesn't say *how* those listed documents are updated.  Might
> pay to include a few works on how.
>

Thank you, that was helpful feedback.  I changed the introduction text as
follows:
OLD:
This document updates these RFCs that normatively reference TLSv1.0 or
TLSv1.1 or DTLS1.0 and have not been obsoleted.
NEW:
 This document updates the following RFCs that normatively reference
TLSv1.0 or TLSv1.1 or DTLS1.0. The update is to obsolete usage of these
older versions. Fallback to these versions are prohibited through this
update.

Section 2 can be cut down a lot.  The quote from another document is longer
> than the rest of the text.  In many ways, saying that the IETF is moving
> last is not a great thing to memorialize in RFC, as much as it is useful in
> an Internet-Draft or in argumentation in support of publication of the doc.
>

A bunch has been cut out already, but I propose also cutting out the
following text to address your specific point (well taken):
1st paragraph and last 2.

REMOVE:
      Industry has actively followed guidance provided by NIST and the PCI
      Council to deprecate TLSv1.0 and TLSv1.1 by June 30, 2018. TLSv1.2
      should remain a minimum baseline for TLS support at this time.

      The Canadian government treasury board have also mandated that these
      old versions of TLS not be used.

      Various companies and web sites have announced plans to deprecate
      these old versions of TLS.


The title of Section 3 could be a bit clearer.
>
Proposed:
SHA-1 Usage Problematic in TLSv1.0 and TLSv1.1

If you have a more terse suggestion, please post.  I agree this should be
more clear.


>
> It might pay to explain what RFC 7525 is in Section 6.  Why does that
> document warrant special attention over the 70-odd other ones.
>

Good point, how about the following text:

PROPOSED:
RFC7525 is BCP195, "Recommendations for Secure Use of Transport Layer
Security (TLS) and Datagram Transport Layer Security (DTLS)", is the mpost
recent best practice document for implementing TLS and was based off of
TLSv1.2. At the time of publication, TLSv1.0 and TLSv1.1 had not yet been
deprecated. As such, this document is called out specifically to update
text implementing the deprecation recommendations of this document.


> Otherwise, publish this.
>

Thank you!

I'll continue through the rest of the messages, but may have a delay when
tending to other responsibilities.
I am putting the proposals into a new version to upload to the git
repository.

Best regards,
Kathleen


>
>
> On Sat, Apr 13, 2019, at 09:28, Christopher Wood wrote:
> > This is the working group last call for the "Deprecating TLSv1.0 and
> > TLSv1.1” draft available at:
> >
> >
> https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/
> >
> > Please review the document and send your comments to the list by April
> 26, 2019.
> >
> > Thanks,
> > Chris, Joe, and Sean
> >
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
> >
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>


-- 

Best regards,
Kathleen