Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice

Ted Lemon <> Fri, 04 December 2020 22:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D4E7F3A1016 for <>; Fri, 4 Dec 2020 14:48:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.887
X-Spam-Status: No, score=-1.887 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tu1sJLp841PB for <>; Fri, 4 Dec 2020 14:47:59 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::72d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B3AFC3A1045 for <>; Fri, 4 Dec 2020 14:47:59 -0800 (PST)
Received: by with SMTP id z188so7070165qke.9 for <>; Fri, 04 Dec 2020 14:47:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=4uA+w/KEMnM4Pm0ocxSp0Wf8nxl9hnr8VGg2A8uH9gs=; b=XsMBqvbt1NLScDQnEW1AIXYhTsv1IsCguTSozmjBcmr37zmZ7MQnrqVVpjGMmUO5OP WOVQaCC4yxgMIfE3aO85kbzTdnCPXiviZbqqpm0Cqo6QiLDADfhJVkTcXzx6J01c3vwv 2F37TdztV+EP3KhB835L+akDcsi3fVd0T37hf+6H9m9H4RezSQqyb5h01RqaAPTPvKD/ so/2QnWC2jKwkXQg6SKfEHpyB0FTRsFcfEr8DeKaFcJSRhKBZWRx8q0OxYO+81OtxyWi iNqZrRwiy52cY2MZQQhROLsWFkxpApdx3bl8XBa993ZXdcUvh8VFJh3mFC0iRcnVXg1E q99g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=4uA+w/KEMnM4Pm0ocxSp0Wf8nxl9hnr8VGg2A8uH9gs=; b=gcS2Uxi7jQ0eanZuPsMd3rpWuwSXD0hvRelYZzSINYVa76n8dV80fTyQJRiCMsgcSm zRexjeRBKN6HbKpSGoQuX7j7MhTDLotP1wRtcfi8Grn1fKsezHHijEOVoy+gk0ZNDhk6 chhvhURW5dhTaiD47tIVRx6pjPcEHVBYA2IDhn1wXYuSe3gltzCshxwF8apOkivUjJIe x49GwaGS/dY7WGLSiQCkDwlZsPt7fllxr8w8eoHSaBW07seQThuvwaIoVKd1hPo09i7J p4UGNUsx0IhSAO+o/57AYCKMedBNWhwJo4UTxPgjvR8nYKxiAnlet4dsls9rOdfZzw/h ak2A==
X-Gm-Message-State: AOAM533OePXOPbs5f5YWeNC0akHWodZubA7QN7YKlq7gWXhADVSIsZjM uox55OGXbJZ8Q2Xye9KR2iJvZLpua/vlw4v6
X-Google-Smtp-Source: ABdhPJz21ap3xyqpXG6A44i8pjFjbeP2rKGikrLuGKNWDPJB/ANSuvO/x7QwFH+hikRKQO/Ld5vWiw==
X-Received: by 2002:a37:4c4a:: with SMTP id z71mr12108350qka.2.1607122078220; Fri, 04 Dec 2020 14:47:58 -0800 (PST)
Received: from mithrandir.lan ( []) by with ESMTPSA id u20sm5960993qtw.88.2020. (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 04 Dec 2020 14:47:57 -0800 (PST)
From: Ted Lemon <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F62323FD-F9DB-4064-876E-001F0EB0AD5E"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
Date: Fri, 4 Dec 2020 17:47:54 -0500
In-Reply-To: <>
Cc: "" <>, "" <>
To: "Ackermann, Michael" <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3654.
Archived-At: <>
Subject: Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 04 Dec 2020 22:48:09 -0000

On Dec 4, 2020, at 5:29 PM, Ackermann, Michael <> wrote:
> Regards to the 12 years vs 1-2.    12 years is probably too long for just about anything, once it is determined to be a business need.   But that is the key first step.   Then it will likely be a minimum of 1-2 years to get the identified need in the budget and then into planning cycles and actual project plans.      For example, if you tell me to do a major conversion right now,  it is tool late at this point for me to even request that for the 2021 budget.    I could request this in 2021, for the 2022 budget.   Hence the typical minimum 1-2 years. 

But isn’t this the crux of the matter? How do we get to a place where when a new version of the protocol comes out, the planning starts? Should the IETF have deprecated TLS 1.1 in 2008? That would certainly have given you more lead time! I suspect there’s a happy medium.

Why do people buy stuff that’s not upgradeable? Probably because the manufacturer doesn’t give them a choice, and there’s no way to force the choice. The recent discussions about legally requiring firmware-upgradeable IoT devices (e.g. in Singapore) is definitely a step in the right direction. For medical devices and medical infrastructure, this should have been required, but as far as I know still is not.

I realize that this isn’t your specific problem, but it’s the one that really worries me.