Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)
Yoav Nir <ynir.ietf@gmail.com> Thu, 21 May 2015 23:09 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF6511A87DF for <tls@ietfa.amsl.com>; Thu, 21 May 2015 16:09:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c9COWwBHOsz3 for <tls@ietfa.amsl.com>; Thu, 21 May 2015 16:09:47 -0700 (PDT)
Received: from mail-wi0-x231.google.com (mail-wi0-x231.google.com [IPv6:2a00:1450:400c:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9003D1A1AFB for <tls@ietf.org>; Thu, 21 May 2015 16:09:47 -0700 (PDT)
Received: by wicmc15 with SMTP id mc15so26319923wic.1 for <tls@ietf.org>; Thu, 21 May 2015 16:09:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=sHHIKzjodREm4ekSqkHrpOqy88FBzTi86T1epm3jB9A=; b=wjFor3TbPlOqxNeIA3+7ZexvccvGTBLfNImlXejqahYUUM7o7ZkSAzzjeIepOYUlM8 ESZS/Ik0Z7pxA6xSdAfhesRJdIqlqrKOW9ijJmoshFIoO89bY0trenJyS8OEtj0eEs2a W585K82KvFAr6/SlD70VIg6B8qV8YP5U5f0yPLRSUvlrWh/euM2+lqvgM5oqarwR2/YN gyHxqRkWP0mH1Ug/0t1EMYmWHuvH7TE1Y8gPwvHMQUgnsKbuuQfUaFgWEQiz1vTM2Lt0 vK8IBXfazuQRDpRl5VVo4JwizyZGDy8X3+AvZpIjQSMYev5kgvLWdwFBaeTET9+k+Z0u XKSg==
X-Received: by 10.180.218.195 with SMTP id pi3mr1801453wic.71.1432249786155; Thu, 21 May 2015 16:09:46 -0700 (PDT)
Received: from [192.168.1.17] ([46.120.13.132]) by mx.google.com with ESMTPSA id ex5sm4774635wib.2.2015.05.21.16.09.44 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 21 May 2015 16:09:45 -0700 (PDT)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <201505211903.03845.davemgarrett@gmail.com>
Date: Fri, 22 May 2015 02:09:42 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <6748CFBB-A1FB-4D3C-9E5F-5DFD4F7A7EBD@gmail.com>
References: <201505211210.43060.davemgarrett@gmail.com> <201505211816.42606.davemgarrett@gmail.com> <9ED694CA-2271-42DD-B094-55B560B9C76B@gmail.com> <201505211903.03845.davemgarrett@gmail.com>
To: Dave Garrett <davemgarrett@gmail.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/HP7Oq9A0-SwYri2LjnlzfzeD8sE>
Cc: "maray@microsoft.com" <maray@microsoft.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 23:09:49 -0000
> On May 22, 2015, at 2:03 AM, Dave Garrett <davemgarrett@gmail.com> wrote: > > I'd like to be able to point to the TLS 1.3 spec and tell people that servers implementing it are as secure as we currently know how to make them, which is just not true unless their weakest link isn't obsolete crap. Then point at the BCP. Only problem is that it doesn’t say what you want it to say (it allows TLS 1.0 when the client does not support anything else)
- [TLS] prohibit <1.2 support on 1.3+ servers (but … Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Loganaden Velvindron
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Thijs van Dijk
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Jeffrey Walton
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Kurt Roeckx
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yuhong Bao
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Watson Ladd
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Rex
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Thomson
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Aaron Zauner
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Tony Arcieri
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Thomson
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Aaron Zauner
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Thomson
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Tony Arcieri
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Xiaoyin Liu
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Rex
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Hubert Kario
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Peter Gutmann
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Xiaoyin Liu
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Salz, Rich
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Salz, Rich
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Ronald del Rosario
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Dave Garrett
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Geoffrey Keating
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Tony Arcieri
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Jeffrey Walton
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Bill Frantz
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Peter Gutmann
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Geoff Keating
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Jeffrey Walton
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Florian Weimer
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Yuhong Bao
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Martin Thomson
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Salz, Rich