Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)

Yoav Nir <ynir.ietf@gmail.com> Thu, 21 May 2015 23:09 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF6511A87DF for <tls@ietfa.amsl.com>; Thu, 21 May 2015 16:09:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c9COWwBHOsz3 for <tls@ietfa.amsl.com>; Thu, 21 May 2015 16:09:47 -0700 (PDT)
Received: from mail-wi0-x231.google.com (mail-wi0-x231.google.com [IPv6:2a00:1450:400c:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9003D1A1AFB for <tls@ietf.org>; Thu, 21 May 2015 16:09:47 -0700 (PDT)
Received: by wicmc15 with SMTP id mc15so26319923wic.1 for <tls@ietf.org>; Thu, 21 May 2015 16:09:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=sHHIKzjodREm4ekSqkHrpOqy88FBzTi86T1epm3jB9A=; b=wjFor3TbPlOqxNeIA3+7ZexvccvGTBLfNImlXejqahYUUM7o7ZkSAzzjeIepOYUlM8 ESZS/Ik0Z7pxA6xSdAfhesRJdIqlqrKOW9ijJmoshFIoO89bY0trenJyS8OEtj0eEs2a W585K82KvFAr6/SlD70VIg6B8qV8YP5U5f0yPLRSUvlrWh/euM2+lqvgM5oqarwR2/YN gyHxqRkWP0mH1Ug/0t1EMYmWHuvH7TE1Y8gPwvHMQUgnsKbuuQfUaFgWEQiz1vTM2Lt0 vK8IBXfazuQRDpRl5VVo4JwizyZGDy8X3+AvZpIjQSMYev5kgvLWdwFBaeTET9+k+Z0u XKSg==
X-Received: by 10.180.218.195 with SMTP id pi3mr1801453wic.71.1432249786155; Thu, 21 May 2015 16:09:46 -0700 (PDT)
Received: from [192.168.1.17] ([46.120.13.132]) by mx.google.com with ESMTPSA id ex5sm4774635wib.2.2015.05.21.16.09.44 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 21 May 2015 16:09:45 -0700 (PDT)
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <201505211903.03845.davemgarrett@gmail.com>
Date: Fri, 22 May 2015 02:09:42 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <6748CFBB-A1FB-4D3C-9E5F-5DFD4F7A7EBD@gmail.com>
References: <201505211210.43060.davemgarrett@gmail.com> <201505211816.42606.davemgarrett@gmail.com> <9ED694CA-2271-42DD-B094-55B560B9C76B@gmail.com> <201505211903.03845.davemgarrett@gmail.com>
To: Dave Garrett <davemgarrett@gmail.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/HP7Oq9A0-SwYri2LjnlzfzeD8sE>
Cc: "maray@microsoft.com" <maray@microsoft.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 23:09:49 -0000

> On May 22, 2015, at 2:03 AM, Dave Garrett <davemgarrett@gmail.com>; wrote:
> 
> I'd like to be able to point to the TLS 1.3 spec and tell people that servers implementing it are as secure as we currently know how to make them, which is just not true unless their weakest link isn't obsolete crap.

Then point at the BCP. Only problem is that it doesn’t say what you want it to say (it allows TLS 1.0 when the client does not support anything else)