Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice

Nick Hilliard <nick@foobar.org> Sat, 05 December 2020 11:05 UTC

Return-Path: <nick@foobar.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E607A3A1141; Sat, 5 Dec 2020 03:05:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4OP-NbUxPC4N; Sat, 5 Dec 2020 03:05:43 -0800 (PST)
Received: from mail.netability.ie (mail.netability.ie [46.182.8.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B0553A03F4; Sat, 5 Dec 2020 03:05:39 -0800 (PST)
X-Envelope-To: last-call@ietf.org
Received: from crumpet.local (089-101-070074.ntlworld.ie [89.101.70.74] (may be forged)) (authenticated bits=0) by mail.netability.ie (8.16.1/8.16.1) with ESMTPSA id 0B5B5NJ3085994 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 5 Dec 2020 11:05:25 GMT (envelope-from nick@foobar.org)
X-Authentication-Warning: cheesecake.ibn.ie: Host 089-101-070074.ntlworld.ie [89.101.70.74] (may be forged) claimed to be crumpet.local
To: Ted Lemon <mellon@fugue.com>
Cc: "Ackermann, Michael" <MAckermann@bcbsm.com>, last-call@ietf.org, tls@ietf.org
References: <251c6be9-ce1b-b358-0c72-03a61db5a60d@foobar.org> <05935A0A-B503-4C77-9AB0-F82B333C7168@fugue.com>
From: Nick Hilliard <nick@foobar.org>
Message-ID: <a76f1d07-32ce-fcb9-3e79-fee77a6c57de@foobar.org>
Date: Sat, 05 Dec 2020 11:05:22 +0000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:52.0) Gecko/20100101 PostboxApp/7.0.40
MIME-Version: 1.0
In-Reply-To: <05935A0A-B503-4C77-9AB0-F82B333C7168@fugue.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Bj82iIaoy2u42YxRRURn7MSd4kg>
Subject: Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Dec 2020 11:05:45 -0000

Ted Lemon wrote on 05/12/2020 01:32:
> Of course no product has infinite lifetime, but lots of iot stuff is
> expected to be in the walls for 30 years. Radiology equipment lasts
> decades. Etc.
yip, this is one of the reasons that medical and other certified 
equipment (e.g. military, industrial, etc) is so expensive to start 
with: there's an expectation of long life and an understanding that this 
is reflected in either the up-front cost or ongoing support / 
maintenance costs.  For the bulk-produced consumer-oriented product 
market, people are not prepared to pay and in any event it's usually 
cheaper to replace equipment than repair or maintain properly - and 
that's even if the product is still relevant.  Who still uses their USR 
Sportster?  Or even their 802.11b wifi access point?  In 10 years time, 
there will be

> It’s really natural to think of stuff you buy as being stable and
> solid, but when there’s software in it, this cognitive bias requires
> serious systems thinking to avoid.

This is only part of a much larger issue relating to the speed of 
technical innovation and separately, consumerism.

What's relevant to the IETF is that it needs to make sound technical 
recommendations about the usability and appropriateness of standards. 
If organisations choose not to keep supporting some or all of their 
product lines, this shouldn't impact the IETF's ability to do its job.

Nick