Re: [TLS] AD review of draft-ietf-tls-oldversions-deprecate-06

Michael D'Errico <mike-list@pobox.com> Tue, 13 October 2020 20:01 UTC

Return-Path: <mike-list@pobox.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBDF03A1101; Tue, 13 Oct 2020 13:01:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pobox.com header.b=XeMeC+Yb; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=WnSamtXw
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sJqE4KVhiEsr; Tue, 13 Oct 2020 13:01:38 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 649C83A03F8; Tue, 13 Oct 2020 13:01:35 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 22F5A5C013C; Tue, 13 Oct 2020 16:01:35 -0400 (EDT)
Received: from imap21 ([10.202.2.71]) by compute4.internal (MEProxy); Tue, 13 Oct 2020 16:01:35 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pobox.com; h= mime-version:message-id:in-reply-to:references:date:from:to:cc :subject:content-type; s=fm1; bh=5lXYEcOW5VyES3W4hE2kR4ypCzVt16f 0dRroAZbaamY=; b=XeMeC+YbyxFeaivvzX6RcjZ86xe+RGJQllMYz7YQ+PmVwrY pgBswerxZ4takmHgGNuc4eTtEAYY4eVbQ6tdujN+ugoObqZIWpj4VZKFY0Qkga5N /fZe+zqIlKMbfwDX2ygPiDCV/UV8O1GwoopbVySDuNXz3h4sTpUh0PabZCUhaE+o dBHW8NPHO2krJIbpgethREYIdZsm5slsrrD3bLjHyxTx+y9KTtICEkdCU6Ioy45X utGX0v/cApjqM8CMQmm1xIYfoMJoUio2t9C6vLIgAKNPs2j/DkwT4uXP5Hh6ybTV 4I6hxPNZSJlQm8w0laPT7q08Zaa1GVsf/NkBirw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=5lXYEc OW5VyES3W4hE2kR4ypCzVt16f0dRroAZbaamY=; b=WnSamtXwUX1uL8c/YUDUd0 0ZftCnZ27eiO3UZN8jjL0gmCQk41ES5QKz0Xv/3cn2On1GbERiW17tYISrbAVkQA /21RqNhrxowdXSkY1i0oK1Aieki24v3z4IucpVjGA3cP6moDDVDHMlsKlGQtJv6W n75nzmg94v6A0KbScr97dUo+8VEMBIvCf6b1FeroYzlWKITF4/QhmDTa8GQtGL7k l3MSuO8age+LM5SrIUkwIyjiyiOaVqhnqIGStjdqEBwttsTquDfIF4uBYwf4NuoO 074JqZybm6TIno/k3jqz0v/pqsmskLV8QQBHmeETl8KbQwnu7HmbR3Y80guT59Kw ==
X-ME-Sender: <xms:ngeGX5mbevOh6hwy2qLLpy7jfoYpVetCvyprT143fE4cKpPIdMK51A> <xme:ngeGX03SATo3aszW8YJnO2VNGoTRfrQ5J7sRjPz7eWPskBrDN-x6kAaOvzc4Ubj6U CBZVxheOIS9CI_Afw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrheelgddugeeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedfofhitghhrggvlhcuffdkgfhrrhhitghofdcuoehmihhk vgdqlhhishhtsehpohgsohigrdgtohhmqeenucggtffrrghtthgvrhhnpeeijeeugeehle fghedtvdeuteetfeeugfffvdekheetuedtkeffjeettdeigffgtdenucevlhhushhtvghr ufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmihhkvgdqlhhishhtsehpoh gsohigrdgtohhm
X-ME-Proxy: <xmx:ngeGX_oQFPKm2H835u5WnShjh8sZJ4jQ3bhjV45AFOyMZnFtf0d19A> <xmx:ngeGX5lCJ9Gs4SIY6zJRgA9FrpcvnIgeehgUdkzjCRBJqZIliyt3oQ> <xmx:ngeGX32V3KI04OX0jtlMQjEf3MgyKDl_dbsgGkzLvH-VGU8EmP7hkw> <xmx:nweGX8ghv0OjMc5tLnoBWujs2u_-C71ZIhazXIMPz4YgPl2LtUNoOA>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id BB4D6660069; Tue, 13 Oct 2020 16:01:25 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-407-g461656c-fm-20201004.001-g461656c6
Mime-Version: 1.0
Message-Id: <e6cd7cc3-9650-4c08-9d2b-148ffae9ca09@www.fastmail.com>
In-Reply-To: <20201013191512.GD83367@kduck.mit.edu>
References: <20200726212223.GY41010@kduck.mit.edu> <CAHbuEH6YV5HyqEV7DbO=_-9yFEHTS3Q7nH_t=ap_xwzGK=vMWw@mail.gmail.com> <20200813175413.GY92412@kduck.mit.edu> <B1F480D7-437B-48E1-969A-D30D3598CF9D@sn3rd.com> <20201013183420.GB83367@kduck.mit.edu> <263ebc32-e908-4e41-a8d8-37e88da970ee@www.fastmail.com> <20201013191512.GD83367@kduck.mit.edu>
Date: Tue, 13 Oct 2020 15:59:27 -0400
From: "Michael D'Errico" <mike-list@pobox.com>
To: "TLS List" <tls@ietf.org>
Cc: draft-ietf-tls-oldversions-deprecate.all@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/BRJM2G-7rUuIhNUSMqExYzNiAUE>
Subject: Re: [TLS] AD review of draft-ietf-tls-oldversions-deprecate-06
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Oct 2020 20:01:40 -0000

> Saying that it's your preference without saying why is likely
> to have little effect, yes.  (We endeavor to make decisions
> based on technical merit, not voting, after all.)  Why do you
> want this?

Hi,

I think the advice should be: "If your code currently
only supports TLS 1.0, please spend a week or two
adding support for both TLS 1.1 and the downgrade
protection SCSV."

Since the vast majority of the 1.0 and 1.1 specifications
is the same, someone who takes the advice has a
good chance of succeeding.

(You could then also say which other extensions are
important and why, roughly in order of importance.)

Recommending that people wholesale abandon
their legacy system and implement TLS (1.2 and)
1.3 is asking too much, and will largely be ignored
by the people who would be able to add 1.1 to their
1.0 code.

I understand that we don't vote here.

Mike


On Tue, Oct 13, 2020, at 15:15, Benjamin Kaduk wrote:
> Hi Mike,
> 
> On Tue, Oct 13, 2020 at 03:09:15PM -0400, Michael D'Errico wrote:
> > I know that saying this will have no effect, but I'd
> > rather see deprecation of just TLS 1.0 and retain
> > version 1.1 as not recommended.
> 
> Saying that it's your preference without saying why is likely to have
> little effect, yes.  (We endeavor to make decisions based on technical
> merit, not voting, after all.)  Why do you want this?  TLS 1.1 seems to
> have minimal usage (less even than 1.0) and is much closer to 1.0 than 1.2
> (let alone 1.3) in terms of design and safety.
> 
> > Also, we should not abandon RFC 7507 (downgrade
> > protection SCSV).  What harm is there in keeping it
> > around?  None.
> 
> I don't expect implementations to abandon SCSV any faster than they abandon
> TLS 1.0 or 1.1.  But if the official advice is that 1.0 and 1.1 are
> obsolete, then the official advice should also be that SCSV is obsolete --
> its function is performed in a different way by the newer versions of TLS.
> 
> -Ben
>