Re: [TLS] prohibit <1.2 on clients (but allow servers) (was: prohibit <1.2 support on 1.3+ servers (but allow clients))

Geoffrey Keating <geoffk@geoffk.org> Fri, 22 May 2015 17:22 UTC

Return-Path: <geoffk@geoffk.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CDE61A871A for <tls@ietfa.amsl.com>; Fri, 22 May 2015 10:22:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.799
X-Spam-Level:
X-Spam-Status: No, score=0.799 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UU-1383yiluW for <tls@ietfa.amsl.com>; Fri, 22 May 2015 10:22:08 -0700 (PDT)
Received: from dragaera.releasedominatrix.com (dragaera.releasedominatrix.com [198.0.208.83]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29C951A8714 for <tls@ietf.org>; Fri, 22 May 2015 10:22:08 -0700 (PDT)
Received: by dragaera.releasedominatrix.com (Postfix, from userid 501) id 0369933D19F; Fri, 22 May 2015 17:22:06 +0000 (UTC)
Sender: geoffk@localhost.localdomain
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
References: <201505211210.43060.davemgarrett@gmail.com> <20150522025214.GA21141@typhoon.azet.org> <CAHOTMVJ1i+h3x8UShLhku5VcFiB4RRrUmPZL6cz7LnHMeHzAFA@mail.gmail.com> <201505212304.11513.davemgarrett@gmail.com> <20150522032029.GA24064@typhoon.azet.org> <BAY180-W75D5FCD1F9DD4B5C4A729BFFC00@phx.gbl> <9A043F3CF02CD34C8E74AC1594475C73AB029584@uxcn10-tdc05.UoA.auckland.ac.nz>
From: Geoffrey Keating <geoffk@geoffk.org>
Date: Fri, 22 May 2015 10:22:06 -0700
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73AB029584@uxcn10-tdc05.UoA.auckland.ac.nz>
Message-ID: <m2d21szfwh.fsf@localhost.localdomain>
Lines: 21
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.4
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/D2Z6nluSSN8cTjnV-cFlID_aRpY>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] prohibit <1.2 on clients (but allow servers) (was: prohibit <1.2 support on 1.3+ servers (but allow clients))
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 May 2015 17:22:12 -0000

Peter Gutmann <pgut001@cs.auckland.ac.nz> writes:

> You know the PLC I used as an example in an earlier message, the one
> that rejects any attempt at connecting with a version number set to
> greater than TLS 1.0?  The "upgrade" procedure for that is to
> replace it when the hardware dies, with a minimum (minimum, not
> maximum) lifetime of around ten years (I've seen refridgerator-sized
> PLCs dating from the 1960s still in active use today, but that's
> because they're practically indestructible compared to modern
> versions).
> 
> So if some sort of BCP is published, it should explicitly target
> browsers and web servers where this kind of upgrade/change is
> possible.  Telling people to throw away their PLCs and replace them
> with new ones isn't going to fly.

Telling people that these PLCs are secure and everything is fine and
they don't need to worry won't fly either.  The owners of these
devices are going to have to find a solution, whether it's an early
hardware upgrade, firmware replacement, or a front-end
translator/firewall.