IETF Logo Mail Archive

Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice

Ted Lemon <mellon@fugue.com> Fri, 04 December 2020 22:48 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4E7F3A1016 for <tls@ietfa.amsl.com>; Fri, 4 Dec 2020 14:48:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.887
X-Spam-Level:
X-Spam-Status: No, score=-1.887 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tu1sJLp841PB for <tls@ietfa.amsl.com>; Fri, 4 Dec 2020 14:47:59 -0800 (PST)
Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com [IPv6:2607:f8b0:4864:20::72d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3AFC3A1045 for <tls@ietf.org>; Fri, 4 Dec 2020 14:47:59 -0800 (PST)
Received: by mail-qk1-x72d.google.com with SMTP id z188so7070165qke.9 for <tls@ietf.org>; Fri, 04 Dec 2020 14:47:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=4uA+w/KEMnM4Pm0ocxSp0Wf8nxl9hnr8VGg2A8uH9gs=; b=XsMBqvbt1NLScDQnEW1AIXYhTsv1IsCguTSozmjBcmr37zmZ7MQnrqVVpjGMmUO5OP WOVQaCC4yxgMIfE3aO85kbzTdnCPXiviZbqqpm0Cqo6QiLDADfhJVkTcXzx6J01c3vwv 2F37TdztV+EP3KhB835L+akDcsi3fVd0T37hf+6H9m9H4RezSQqyb5h01RqaAPTPvKD/ so/2QnWC2jKwkXQg6SKfEHpyB0FTRsFcfEr8DeKaFcJSRhKBZWRx8q0OxYO+81OtxyWi iNqZrRwiy52cY2MZQQhROLsWFkxpApdx3bl8XBa993ZXdcUvh8VFJh3mFC0iRcnVXg1E q99g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=4uA+w/KEMnM4Pm0ocxSp0Wf8nxl9hnr8VGg2A8uH9gs=; b=gcS2Uxi7jQ0eanZuPsMd3rpWuwSXD0hvRelYZzSINYVa76n8dV80fTyQJRiCMsgcSm zRexjeRBKN6HbKpSGoQuX7j7MhTDLotP1wRtcfi8Grn1fKsezHHijEOVoy+gk0ZNDhk6 chhvhURW5dhTaiD47tIVRx6pjPcEHVBYA2IDhn1wXYuSe3gltzCshxwF8apOkivUjJIe x49GwaGS/dY7WGLSiQCkDwlZsPt7fllxr8w8eoHSaBW07seQThuvwaIoVKd1hPo09i7J p4UGNUsx0IhSAO+o/57AYCKMedBNWhwJo4UTxPgjvR8nYKxiAnlet4dsls9rOdfZzw/h ak2A==
X-Gm-Message-State: AOAM533OePXOPbs5f5YWeNC0akHWodZubA7QN7YKlq7gWXhADVSIsZjM uox55OGXbJZ8Q2Xye9KR2iJvZLpua/vlw4v6
X-Google-Smtp-Source: ABdhPJz21ap3xyqpXG6A44i8pjFjbeP2rKGikrLuGKNWDPJB/ANSuvO/x7QwFH+hikRKQO/Ld5vWiw==
X-Received: by 2002:a37:4c4a:: with SMTP id z71mr12108350qka.2.1607122078220; Fri, 04 Dec 2020 14:47:58 -0800 (PST)
Received: from mithrandir.lan (c-24-91-177-160.hsd1.nh.comcast.net. [24.91.177.160]) by smtp.gmail.com with ESMTPSA id u20sm5960993qtw.88.2020.12.04.14.47.57 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 04 Dec 2020 14:47:57 -0800 (PST)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <77363965-99A5-4790-B40B-011827C8D113@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F62323FD-F9DB-4064-876E-001F0EB0AD5E"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.40.0.2.32\))
Date: Fri, 4 Dec 2020 17:47:54 -0500
In-Reply-To: <DM6PR14MB317817FD62369A8E0FF93CA8D7F10@DM6PR14MB3178.namprd14.prod.outlook.com>
Cc: "last-call@ietf.org" <last-call@ietf.org>, "tls@ietf.org" <tls@ietf.org>
To: "Ackermann, Michael" <MAckermann@bcbsm.com>
References: <160496076356.8063.5138064792555453422@ietfa.amsl.com> <SN6PR02MB4512B95842251AE4C04B199CC3F30@SN6PR02MB4512.namprd02.prod.outlook.com> <BYAPR14MB31765FD24F4DFD90F81AEE2BD7F30@BYAPR14MB3176.namprd14.prod.outlook.com> <SN6PR02MB4512CBA9E4BF6AAC778BC674C3F30@SN6PR02MB4512.namprd02.prod.outlook.com> <DM6PR14MB31789349B737961728B7691ED7F30@DM6PR14MB3178.namprd14.prod.outlook.com> <CACsn0ckvoqZ5-JPRkOXp2Mw2zeTOdyCYLvX1NV1waJ-yidTwMQ@mail.gmail.com> <SN6PR02MB45129E647485BA5794D5CF4EC3F20@SN6PR02MB4512.namprd02.prod.outlook.com> <MWHPR02MB2464CD5D5B7568E9EAC58B26D6F20@MWHPR02MB2464.namprd02.prod.outlook.com> <DM6PR14MB3178EC0521427BF7C3523CACD7F10@DM6PR14MB3178.namprd14.prod.outlook.com> <CAChr6SzvQK+exfgYEwfVNknMjr-Y-UJ4A7k0DkOkL9wmLQ84aQ@mail.gmail.com> <MWHPR02MB246499F35613820D45EB55AAD6F10@MWHPR02MB2464.namprd02.prod.outlook.com> <DM6PR14MB3178A0C152A746E41C6A01C6D7F10@DM6PR14MB3178.namprd14.prod.outlook.com> <f8486514-9726-68d0-2bc8-dccd4293017e@cs.tcd.ie> <DM6PR14MB317843CA2B3D67F6660F4F0DD7F10@DM6PR14MB3178.namprd14.prod.outlook.com> <127BB8C9-679E-48C1-8617-C6092AEE9914@fugue.com> <DM6PR14MB3178C1F8B6E4FD6E9FD9C8C4D7F10@DM6PR14MB3178.namprd14.prod.outlook.com> <8E6EB6FF-E83B-44B5-A0A2-7499678DC6B6@fugue.com> <DM6PR14MB317817FD62369A8E0FF93CA8D7F10@DM6PR14MB3178.namprd14.prod.outlook.com>
X-Mailer: Apple Mail (2.3654.40.0.2.32)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/9KdQREmByDjHa2nLv4KYHLJHO9M>
Subject: Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2020 22:48:09 -0000

On Dec 4, 2020, at 5:29 PM, Ackermann, Michael <MAckermann@bcbsm.com> wrote:
> Regards to the 12 years vs 1-2.    12 years is probably too long for just about anything, once it is determined to be a business need.   But that is the key first step.   Then it will likely be a minimum of 1-2 years to get the identified need in the budget and then into planning cycles and actual project plans.      For example, if you tell me to do a major conversion right now,  it is tool late at this point for me to even request that for the 2021 budget.    I could request this in 2021, for the 2022 budget.   Hence the typical minimum 1-2 years. 

But isn’t this the crux of the matter? How do we get to a place where when a new version of the protocol comes out, the planning starts? Should the IETF have deprecated TLS 1.1 in 2008? That would certainly have given you more lead time! I suspect there’s a happy medium.

Why do people buy stuff that’s not upgradeable? Probably because the manufacturer doesn’t give them a choice, and there’s no way to force the choice. The recent discussions about legally requiring firmware-upgradeable IoT devices (e.g. in Singapore) is definitely a step in the right direction. For medical devices and medical infrastructure, this should have been required, but as far as I know still is not.

I realize that this isn’t your specific problem, but it’s the one that really worries me.

v2.2.0 | Report a Bug | By Email