Re: [TLS] Deployment ... Re: This working group has failed

mrex@sap.com (Martin Rex) Mon, 18 November 2013 22:31 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A83E41AE609 for <tls@ietfa.amsl.com>; Mon, 18 Nov 2013 14:31:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.552
X-Spam-Level:
X-Spam-Status: No, score=-6.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lOqh4rh9qmP3 for <tls@ietfa.amsl.com>; Mon, 18 Nov 2013 14:31:47 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id C08571AE5C5 for <tls@ietf.org>; Mon, 18 Nov 2013 14:31:46 -0800 (PST)
Received: from mail06.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id rAIMVeWj002200 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 18 Nov 2013 23:31:40 +0100 (MET)
In-Reply-To: <058f01cee4ab$d28316b0$77894410$@Staubermann@webolution.de>
To: Michael Staubermann <Michael.Staubermann@webolution.de>
Date: Mon, 18 Nov 2013 23:31:40 +0100 (CET)
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20131118223140.04D361AAB0@ld9781.wdf.sap.corp>
From: mrex@sap.com (Martin Rex)
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Deployment ... Re: This working group has failed
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2013 22:31:48 -0000

Michael Staubermann wrote:
> Martin Rex wrote: 
> 
>> 
>> Unfortunately, I've seen a new (government mandated) Web Service usage
> scenario deployed in 2013 where the hardware SSL/TLS accellerater that is
> being used is TLS version intolerant to TLSv1.1 and TLSv1.2.
> 
> On the other hand we have the (government mandated) requirement to use TLS
> 1.2 for governmental institutions:
> 
> https://www.bsi.bund.de/DE/Presse/Kurzmitteilungen/Kurzmit2013/Mindeststandard_TLS_1_2_Web-Seiten_des_BSI_13112013.html

That is a misunderstanding.

This statement by the German BSI is a mere recommendation,
it is _not_ mandatory to use TLSv1.2.

You are ware that TLSv1.2 (rfc5246 alone) is weaker than TLSv1.1(rfc4346)?


The Web Service of the Portugal fiscal authority that businesses have
to submit certain data through a WebService _is_ mandatory.

-Martin