Re: [TLS] Fwd: New Version Notification for draft-moriarty-tls-oldversions-diediedie-00.txt
nalini elkins <nalini.elkins@e-dco.com> Tue, 10 July 2018 03:50 UTC
Return-Path: <nalini.elkins@e-dco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E886F13110C for <tls@ietfa.amsl.com>; Mon, 9 Jul 2018 20:50:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.203
X-Spam-Level: *
X-Spam-Status: No, score=1.203 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, URI_HEX=1.122] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=e-dco-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kOgkKPu0oASB for <tls@ietfa.amsl.com>; Mon, 9 Jul 2018 20:50:51 -0700 (PDT)
Received: from mail-lf0-x244.google.com (mail-lf0-x244.google.com [IPv6:2a00:1450:4010:c07::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6309B130EF4 for <tls@ietf.org>; Mon, 9 Jul 2018 20:50:50 -0700 (PDT)
Received: by mail-lf0-x244.google.com with SMTP id v22-v6so3524344lfe.8 for <tls@ietf.org>; Mon, 09 Jul 2018 20:50:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=e-dco-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=2vIgWT65e/jgJo9SzPMyh7tLVKzQ5kFWfbobNnkPUm0=; b=YSnncr/bqrtBPFeaH8LLeYtkMNw2j7mzR5n1YOIogoAZ5AJUtNhhjwr8GT2dA02knk Kv3ZAeQCl2ajLqdFAxlNf2u5w20o9UYq/99PiYxmplQwwgKpWRh/6pUxUP5m0cykFnp1 /QWHWgnO3pqRlLJgG7s23XYI2XsBLSIVNBIu5vdSK4FTM3dkDZLDZd1isTM1zpPXBiba y5gd98tUrFFvJCTFWJrFsWVDZHTxdAxrZ8q7BrZV1LSh7hLNIY9AFbZu71+HHlF/+yHP VscxQ1SrOBAv9iaBcPizCxT36OZM/AyzGkCfHeslGPek6Ej2vfnLfpVuZO+/hn1GDZC9 h6Qg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=2vIgWT65e/jgJo9SzPMyh7tLVKzQ5kFWfbobNnkPUm0=; b=gTURUf2Y21bcSo9sZrAhc0L7SBr8uI8b7xkfQ43S616S/irgANTL/M4EJ2BKbb74dz 37mA5P4WV021rZRoHGDsCMiFs112KhK0nQco0SmMakNZzmQQmFLgTMfgaUnYycO2vsxz RTYG6zfUtsCakwrj5F63UvqHp+2IqA5sVsyyLTgs9sXOHB4LWpCkLhXrIcFFfNg8wJzR f/6aUM0+9cA66GOHCdX1eMjzQextqC0gYvfE+jwUnwrnAcwfJ2AEz3dHAyIqDu2rmOef STZdRapTVpW2mZtJavgYObMGhN2242DEDOgFLj0GYZt/NsEWyXoGvjrR8//YGbMSNTKG qbNQ==
X-Gm-Message-State: APt69E1kqhaZI/+XD26B/1o12RwpfWlTiYkCwSMPAZ7JCssJsrq70vce JBwU33aWu+rJT+K/9VPMz2hnSNOh9mBDdAerHcCLqA==
X-Google-Smtp-Source: AAOMgpfupoguCIOTKGwy/OjYILA2XouB/YL44XEyEiMKlQpWQXM6Q0/terBa9kfNUKV2O7OFFZbHTE23YPEDk582eYw=
X-Received: by 2002:a19:5a56:: with SMTP id o83-v6mr1275334lfb.50.1531194648438; Mon, 09 Jul 2018 20:50:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ab3:f8d:0:0:0:0:0 with HTTP; Mon, 9 Jul 2018 20:50:47 -0700 (PDT)
In-Reply-To: <CY4PR21MB0774BE80A4424D41D0C8C4138C440@CY4PR21MB0774.namprd21.prod.outlook.com>
References: <152934875755.3094.4484881874912460528.idtracker@ietfa.amsl.com> <CAHbuEH5J-F2cKag02Vx416jsy1N6XZOju28H99WAt71Pc5optg@mail.gmail.com> <CABcZeBN4RPt_=zu-PTPeaYbQ4KxC8DAf=a7359pZDjYavpxecw@mail.gmail.com> <CABcZeBMzweULuOfxe_Dp7n6M7Lt77_1Qq92=KzfmuBeShUSCDQ@mail.gmail.com> <CY4PR21MB0774BE80A4424D41D0C8C4138C440@CY4PR21MB0774.namprd21.prod.outlook.com>
From: nalini elkins <nalini.elkins@e-dco.com>
Date: Tue, 10 Jul 2018 09:20:47 +0530
Message-ID: <CAPsNn2U-WqPM-Tqun4NQkhy+ctpkdjkXj_dFurChKDB3f=WqRA@mail.gmail.com>
To: Andrei Popov <Andrei.Popov=40microsoft.com@dmarc.ietf.org>
Cc: Eric Rescorla <ekr@rtfm.com>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001a588505709d0902"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/C6DBF38DMBUk03HF-QQ8YSR0PhE>
Subject: Re: [TLS] Fwd: New Version Notification for draft-moriarty-tls-oldversions-diediedie-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2018 03:50:54 -0000
>On the recent Windows versions, TLS 1.0 is negotiated more than 10% of the time on the client side (this includes non-browser connections from all sorts of apps, some hard-coding TLS versions), and TLS 1.1 accounts for ~0.3% of client >connections. Windows server negotiates TLS 1.0 ~1.5% of the time (all server apps, not just IIS), and the use of TLS 1.1 is negligible. >Therefore, we cannot disable TLS 1.0 by default in Windows just yet, but will keep looking at the telemetry. If PCI/NIST/diediedie RFC make a difference, I’ll be happy to reduce the set of enabled-by-default TLS versions. While I support the move to more secure versions of TLS, I would say that in the U.S. at least, is that people are trying as hard as they can to get current. It is not that easy. My data points are the Fortune 500 and equivalent sized government agencies, including city and county governments, even large school districts such as Los Angeles Unified. For at least the last two to four years, quite a few of the people that I know have been trying to get upgraded to TLS1.2 on their own - with no incentive needed. A while back, I was talking to someone I know about the PCI mandate for June 30th. These guys run quite a large network with millions of clients coming in via business partner and other networks. By the time, they get to his applications, he really has no idea what the actual IP address of the end user is and how to reach out to them to get them to upgrade whatever client software they have that is not current. He has a number of his staff devoted to doing just this. The endpoints are not just running browsers. They may have Telnet, FTP, SMTP, MQSeries or any one of a thousand different applications. Each with their own client software which has to be upgraded individually. Keeping endpoints and applications patched and current takes a huge amount of effort - maybe the bulk of the effort - spent by staff at enterprises. The manager of the above site said to me that he knows the PCI date is June 30 to get off of earlier versions of TLS but he said, "You know, Nalini, we may not make it." Those guys are very smart. I have known them for many years My guess would be that it is in the 10 - 20% range for clients using versions pre-TLS1.2. It would be nice to see some of this reflected in the draft rather than only statistics on browsers. The real usage of these protocols is far more complex. Nalini On Mon, Jul 9, 2018 at 11:30 PM, Andrei Popov < Andrei.Popov=40microsoft.com@dmarc.ietf.org> wrote: > On the recent Windows versions, TLS 1.0 is negotiated more than 10% of the > time on the client side (this includes non-browser connections from all > sorts of apps, some hard-coding TLS versions), and TLS 1.1 accounts for > ~0.3% of client connections. > > Windows server negotiates TLS 1.0 ~1.5% of the time (all server apps, not > just IIS), and the use of TLS 1.1 is negligible. > > > > Therefore, we cannot disable TLS 1.0 by default in Windows just yet, but > will keep looking at the telemetry. If PCI/NIST/diediedie RFC make a > difference, I’ll be happy to reduce the set of enabled-by-default TLS > versions. > > > > Cheers, > > > > Andrei > > > > *From:* TLS <tls-bounces@ietf.org> *On Behalf Of * Eric Rescorla > *Sent:* Monday, July 9, 2018 9:57 AM > *To:* Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> > *Cc:* <tls@ietf.org> <tls@ietf.org> > *Subject:* Re: [TLS] Fwd: New Version Notification for draft-moriarty-tls- > oldversions-diediedie-00.txt > > > > > > > > On Mon, Jul 9, 2018 at 9:54 AM, Eric Rescorla <ekr@rtfm.com> wrote: > > Thanks for writing this. > > > > I would be in favor of deprecating old versions of TLS prior to 1.2. > Firefox Telemetry shows that about 1% of our connections are TLS 1.1 > > > > This should be 1.0. > > > > > > (on the same data set, TLS 1.3 is > 5%), and TLS 1.1 is negligible. > > > > This is probably a higher number than we'd be comfortable turning off > immediately, but it is probably worth starting the process. > > > > -Ekr > > > > > > On Mon, Jul 9, 2018 at 9:40 AM, Kathleen Moriarty < > kathleen.moriarty.ietf@gmail.com> wrote: > > Hello, > > Stephen and I posted the draft below to see if the TLS working group > is ready to take steps to deprecate TLSv1.0 and TLSv1.1. There has > been a recent drop off in usage for web applications due to the PCI > Council recommendation to move off TLSv1.0, with a recommendation to > go to TLSv1.2 by June 30th. NIST has also been recommending TLSv1.2 > as a baseline. Applications other than those using HTTP may not have > had the same reduction in usage. If you are responsible for services > where you have a reasonable vantage point to gather and share > statistics to assess usage further, that could be helpful for the > discussion. We've received some feedback that has been incorporated > into the working draft and feelers in general have been positive. It > would be good to know if there are any show stoppers that have not > been considered. > > https://github.com/sftcd/tls-oldversions-diediedie > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fsftcd%2Ftls-oldversions-diediedie&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C30b7cfd6c111409f442b08d5e5bd3777%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636667523215001514&sdata=6JSQZe93nWnAELvOgG3KyIcPopQleMDtNF6v8LWFXWU%3D&reserved=0> > > Thanks in advance, > Kathleen > > > ---------- Forwarded message ---------- > From: <internet-drafts@ietf.org> > Date: Mon, Jun 18, 2018 at 3:05 PM > Subject: New Version Notification for > draft-moriarty-tls-oldversions-diediedie-00.txt > To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Kathleen Moriarty > <Kathleen.Moriarty.ietf@gmail.com> > > > > A new version of I-D, draft-moriarty-tls-oldversions-diediedie-00.txt > has been successfully submitted by Stephen Farrell and posted to the > IETF repository. > > Name: draft-moriarty-tls-oldversions-diediedie > Revision: 00 > Title: Deprecating TLSv1.0 and TLSv1.1 > Document date: 2018-06-18 > Group: Individual Submission > Pages: 10 > URL: > https://www.ietf..org/internet-drafts/draft-moriarty-tls-oldversions- > diediedie-00.txt > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Finternet-drafts%2Fdraft-moriarty-tls-oldversions-diediedie-00.txt&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C30b7cfd6c111409f442b08d5e5bd3777%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636667523215011518&sdata=%2BBRGmMbf7r4mXoyWqHmT6kgNjHw7Drh7ldDceG5gqfQ%3D&reserved=0> > Status: > https://datatracker.ietf.org/doc/draft-moriarty-tls-oldversions-diediedie/ > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-moriarty-tls-oldversions-diediedie%2F&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C30b7cfd6c111409f442b08d5e5bd3777%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636667523215011518&sdata=Qge2nvcx8fz105Uux1rl1eM2yHiI7zbvxA8Pvps10z8%3D&reserved=0> > Htmlized: > https://tools.ietf.org/html/draft-moriarty-tls-oldversions-diediedie-00 > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-moriarty-tls-oldversions-diediedie-00&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C30b7cfd6c111409f442b08d5e5bd3777%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636667523215021535&sdata=Bz6FrvviPoSIxkB83boGxcOxVg2NvrqS3A1bUinNodc%3D&reserved=0> > Htmlized: > https://datatracker.ietf.org/doc/html/draft-moriarty-tls- > oldversions-diediedie > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-moriarty-tls-oldversions-diediedie&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C30b7cfd6c111409f442b08d5e5bd3777%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636667523215021535&sdata=M1O48yPTPkd%2Bb3%2FE3z0%2FAniBUMozDwfQzp2Ra5sLRbQ%3D&reserved=0> > > > Abstract: > This document [if approved] formally deprecates Transport Layer > Security (TLS) versions 1.0 [RFC2246] and 1.1 [RFC4346] and moves > these documents to the historic state. These versions lack support > for current and recommended cipher suites, and various government and > industry profiiles of applications using TLS now mandate avoiding > these old TLS versions. TLSv1.2 has been the recommended version for > IETF protocols since 2008, providing sufficient time to transition > away from older versions. Products having to support older versions > increase the attack surface unnecessarily and increase opportunities > for misconfigurations. Supporting these older versions also requires > additional effort for library and product maintenance. > > This document updates the backward compatibility sections of TLS RFCs > [[list TBD]] to prohibit fallback to TLSv1.0 and TLSv1.1. This > document also updates RFC 7525. > > > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org > <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftools.ietf.org&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C30b7cfd6c111409f442b08d5e5bd3777%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636667523215031539&sdata=ixEPAZe51d1FhvdB9sQ8mzRHY04Blyx%2BIYjlFC%2Fo0dw%3D&reserved=0> > . > > The IETF Secretariat > > > > -- > > Best regards, > Kathleen > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Ftls&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C30b7cfd6c111409f442b08d5e5bd3777%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636667523215041552&sdata=GkIXrs3zVeUBaEU2EUL8%2FXJdDdkDUlQ70iKr0rDJQRU%3D&reserved=0> > > > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > > -- Thanks, Nalini Elkins President Enterprise Data Center Operators www.e-dco.com
- Re: [TLS] Fwd: New Version Notification for draft… Stephen Farrell
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Hubert Kario
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Peter Gutmann
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Eric Rescorla
- Re: [TLS] Fwd: New Version Notification for draft… Peter Gutmann
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Eric Rescorla
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Hubert Kario
- [TLS] raising ceiling vs. floor (was: New Version… Viktor Dukhovni
- Re: [TLS] Fwd: New Version Notification for draft… nalini elkins
- Re: [TLS] Fwd: New Version Notification for draft… Martin Thomson
- Re: [TLS] Fwd: New Version Notification for draft… Martin Rex
- Re: [TLS] Fwd: New Version Notification for draft… Eric Rescorla
- Re: [TLS] Fwd: New Version Notification for draft… Eric Rescorla
- [TLS] Fwd: New Version Notification for draft-mor… Kathleen Moriarty
- Re: [TLS] Fwd: New Version Notification for draft… Loganaden Velvindron
- Re: [TLS] Fwd: New Version Notification for draft… Salz, Rich
- Re: [TLS] Fwd: New Version Notification for draft… Salz, Rich
- Re: [TLS] Fwd: New Version Notification for draft… Alessandro Ghedini
- Re: [TLS] Fwd: New Version Notification for draft… Andrei Popov
- Re: [TLS] Fwd: New Version Notification for draft… Eric Mill
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Peter Gutmann
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Viktor Dukhovni
- Re: [TLS] raising ceiling vs. floor (was: New Ver… David Benjamin
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Peter Gutmann
- Re: [TLS] Fwd: New Version Notification for draft… Viktor Dukhovni
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Hubert Kario
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Phil Pennock
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Hubert Kario
- Re: [TLS] Fwd: New Version Notification for draft… Stephen Farrell
- Re: [TLS] [CAUTION] Re: Fwd: New Version Notifica… Martin Rex
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Peter Gutmann
- Re: [TLS] Fwd: New Version Notification for draft… nalini elkins
- Re: [TLS] Fwd: New Version Notification for draft… Stephen Farrell
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Hubert Kario
- Re: [TLS] Fwd: New Version Notification for draft… Eric Rescorla
- Re: [TLS] Fwd: New Version Notification for draft… Salz, Rich
- Re: [TLS] [CAUTION] Re: Fwd: New Version Notifica… Kathleen Moriarty
- Re: [TLS] Fwd: New Version Notification for draft… Kathleen Moriarty
- Re: [TLS] Fwd: New Version Notification for draft… Kathleen Moriarty
- Re: [TLS] Fwd: New Version Notification for draft… David Benjamin
- Re: [TLS] Fwd: New Version Notification for draft… nalini elkins
- Re: [TLS] Fwd: New Version Notification for draft… Eric Rescorla
- Re: [TLS] Fwd: New Version Notification for draft… Stephen Farrell
- Re: [TLS] Fwd: New Version Notification for draft… Christopher Wood
- Re: [TLS] Fwd: New Version Notification for draft… Yaron Sheffer
- Re: [TLS] Fwd: New Version Notification for draft… Hubert Kario
- Re: [TLS] Fwd: New Version Notification for draft… Jeremy Harris
- Re: [TLS] Fwd: New Version Notification for draft… Artyom Gavrichenkov
- Re: [TLS] Fwd: New Version Notification for draft… Stephen Farrell
- Re: [TLS] Fwd: New Version Notification for draft… Artyom Gavrichenkov