IETF Logo Mail Archive

Re: [TLS] How are we planning to deprecate TLS 1.2?

Viktor Dukhovni <ietf-dane@dukhovni.org> Sat, 04 March 2023 05:35 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78D93C151549 for <tls@ietfa.amsl.com>; Fri, 3 Mar 2023 21:35:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pNkPYr74vhyK for <tls@ietfa.amsl.com>; Fri, 3 Mar 2023 21:35:18 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEF2CC151527 for <tls@ietf.org>; Fri, 3 Mar 2023 21:35:18 -0800 (PST)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id F3A56121EE9; Sat, 4 Mar 2023 00:35:16 -0500 (EST)
Date: Sat, 04 Mar 2023 00:35:16 -0500
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <ZALYlDCzIP7PAW1G@straasha.imrryr.org>
Reply-To: tls@ietf.org
References: <CABiKAoTN-Y2317qZi6vwyOvhMwtTjtY9wROorNXEjEEegg-zfg@mail.gmail.com> <ZAJrhV3El0QAvy6/@straasha.imrryr.org> <CACsn0cmt+9q_uAE_72Y5ngb2k-pRa9z=8PyaxGwiRzKHChZNkA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CACsn0cmt+9q_uAE_72Y5ngb2k-pRa9z=8PyaxGwiRzKHChZNkA@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/GLswfUGanQA7Nn1QTsHnUfT0vZQ>
Subject: Re: [TLS] How are we planning to deprecate TLS 1.2?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Mar 2023 05:35:19 -0000

On Fri, Mar 03, 2023 at 03:49:28PM -0800, Watson Ladd wrote:

> > 20 years is a long time.  We can only reason about shorter timelines.
> > In the next ~5 years, I don't yet see a defensible reason to deprecate
> > TLS 1.2.
> 
> 20 years from today we'll be dealing with products shipped out today.
> Doesn't it make sense to start saying TLS 1.2 will sunset at some day?

Products shipped today will typically support and prefer to negotiate
TLS 1.3, the ones that choose to not implement TLS 1.2 probably have a
reason for that choice.

The more positive message is encourage adoption of TLS 1.3 in all market
segments where it is applicable.  TLS 1.2 does not look so broken that
we need to apply a stick rather than offer a carrot.

-- 
    Viktor.

v2.23.0 | Report a Bug | By Email