Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice

"STARK, BARBARA H" <bs7652@att.com> Thu, 03 December 2020 17:03 UTC

Return-Path: <bs7652@att.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2906E3A0BCC; Thu, 3 Dec 2020 09:03:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=att.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TDlrmEkL-K2E; Thu, 3 Dec 2020 09:02:59 -0800 (PST)
Received: from mx0a-00191d01.pphosted.com (mx0b-00191d01.pphosted.com [67.231.157.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44C053A0A96; Thu, 3 Dec 2020 09:02:59 -0800 (PST)
Received: from pps.filterd (m0049462.ppops.net [127.0.0.1]) by m0049462.ppops.net-00191d01. (8.16.0.43/8.16.0.43) with SMTP id 0B3GrZu0029754; Thu, 3 Dec 2020 12:02:52 -0500
Received: from alpi154.enaf.aldc.att.com (sbcsmtp6.sbc.com [144.160.229.23]) by m0049462.ppops.net-00191d01. with ESMTP id 355xmpe46j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 03 Dec 2020 12:02:51 -0500
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 0B3H2o4o029942; Thu, 3 Dec 2020 12:02:51 -0500
Received: from zlp30485.vci.att.com (zlp30485.vci.att.com [135.47.91.178]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 0B3H2jdt029807 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 3 Dec 2020 12:02:45 -0500
Received: from zlp30485.vci.att.com (zlp30485.vci.att.com [127.0.0.1]) by zlp30485.vci.att.com (Service) with ESMTP id 58A9E401C7A4; Thu, 3 Dec 2020 17:02:45 +0000 (GMT)
Received: from GAALPA1MSGEX1DC.ITServices.sbc.com (unknown [135.50.89.116]) by zlp30485.vci.att.com (Service) with ESMTPS id 027F1401C7A3; Thu, 3 Dec 2020 17:02:45 +0000 (GMT)
Received: from GAALPA1MSGEX1AB.ITServices.sbc.com (135.50.89.97) by GAALPA1MSGEX1DC.ITServices.sbc.com (135.50.89.116) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2044.4; Thu, 3 Dec 2020 12:02:44 -0500
Received: from GAALPA1MSGETA01.tmg.ad.att.com (144.160.249.126) by GAALPA1MSGEX1AB.ITServices.sbc.com (135.50.89.97) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2044.4 via Frontend Transport; Thu, 3 Dec 2020 12:02:44 -0500
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (104.47.36.54) by edgeal1.exch.att.com (144.160.249.126) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2044.4; Thu, 3 Dec 2020 12:02:42 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GfFHdDeRqP57ArZHifokzE9PgNNCbj/O7MuQeRJdCSdmDvblT4++aVrDdX/EVRbV1bRWuqwfU/LH6NuQeLI0DRIBvOWmKq3ZruXkPfK2NeSPcWRc4A20QrO2/YbI0s022mMRVf8tj09eLmuviBA8yGjzGOfiFbDLa/dcpxOqLLJ8M9wh7j5CwJdhesS0dzrFxFfVv8ULY+bY4YqYPJyEOl42syEsHYu3y2Tw7ffSQyorjCdg2G1q5T6w9fymnrtDju7uVfuNWEEffaffUKFKqSPeba6Wh3+psSDF4OxUkGUq6wEthLAkCrm6Z2kmgM8xve4pq9QBoHPilVMxxB0kcg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kkIu6S0bCrivyzeXewVvqpekIh050MRa5kvAsmn23mk=; b=n1ou3uOxmhi6DbMuO1f3LaJKhYnMaBAXV5w0DpmKDl5xjYNl1jCItg0iItcAd4Nqm5wB4p+yGpSLbkvNNjycqGXgciaJ+q7jodUFbl2k/ugNJbfCDgub1HsquWW7Sy+qPx00woI2HQ8z2YklomzkvSDaL8Ai1Na5Kp+UnxgZ//XC/vRVzTCiCrEF2vCjMKVpb3G+CmDNzom/DFycrKgNqQFGCD32ag8tWe4vj0/lgh/pWHCvwTHl07g0BxLVx94BB+DNV4YDU6lu4a2v9dDgjuz+Kl3kPvKXCc5z23CoePXs7OcWafyJdow1Bofa8gR4feQnCqhyCAFdhyLlvuijnw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=att.com; dmarc=pass action=none header.from=att.com; dkim=pass header.d=att.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=att.onmicrosoft.com; s=selector2-att-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kkIu6S0bCrivyzeXewVvqpekIh050MRa5kvAsmn23mk=; b=C+tnuW16q/puJGzD8LNS5gfDWZX6zmfup3YBR4bRBaS+//IXZW2L+1bh30Xo1kqUYutxGCfacS+2L4Q293DA6C3VT58moRz6Y3O/CCUjP9ZsJq9/UQ0JkURvQCR1YdNKWTZzvMFbA3uovmfTh1RjAsebJLR46OIWvi2fvH807qw=
Received: from SN6PR02MB4512.namprd02.prod.outlook.com (2603:10b6:805:a4::13) by SA0PR02MB7225.namprd02.prod.outlook.com (2603:10b6:806:e5::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3632.20; Thu, 3 Dec 2020 17:02:37 +0000
Received: from SN6PR02MB4512.namprd02.prod.outlook.com ([fe80::1813:2439:6aac:fc24]) by SN6PR02MB4512.namprd02.prod.outlook.com ([fe80::1813:2439:6aac:fc24%6]) with mapi id 15.20.3611.031; Thu, 3 Dec 2020 17:02:37 +0000
From: "STARK, BARBARA H" <bs7652@att.com>
To: "'Watson Ladd'" <watsonbladd@gmail.com>, "'Ackermann, Michael'" <MAckermann@bcbsm.com>
CC: "'Eliot Lear'" <lear=40cisco.com@dmarc.ietf.org>, "'Peter Gutmann'" <pgut001@cs.auckland.ac.nz>, "'draft-ietf-tls-oldversions-deprecate@ietf.org'" <draft-ietf-tls-oldversions-deprecate@ietf.org>, "'last-call@ietf.org'" <last-call@ietf.org>, "'tls@ietf.org'" <tls@ietf.org>, "'tls-chairs@ietf.org'" <tls-chairs@ietf.org>
Thread-Topic: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
Thread-Index: AQHWyLu/kYzXzvikeUizlhaI9MZmnqnj9JMAgAASjgCAAAcGoIAAXiWAgAESqwCAABguoA==
Date: Thu, 3 Dec 2020 17:02:37 +0000
Message-ID: <SN6PR02MB45129E647485BA5794D5CF4EC3F20@SN6PR02MB4512.namprd02.prod.outlook.com>
References: <160496076356.8063.5138064792555453422@ietfa.amsl.com> <49d045a3-db46-3250-9587-c4680ba386ed@network-heretics.com> <b5314e17-645a-22ea-3ce9-78f208630ae1@cs.tcd.ie> <1606782600388.62069@cs.auckland.ac.nz> <0b72b2aa-73b6-1916-87be-d83e9d0ebd09@cs.tcd.ie> <1606814941532.76373@cs.auckland.ac.nz> <36C74BF4-FF8A-4E79-B4C8-8A03BEE94FCE@cisco.com> <SN6PR02MB4512D55EC7F4EB00F5338631C3F40@SN6PR02MB4512.namprd02.prod.outlook.com> <1606905858825.10547@cs.auckland.ac.nz> <EEFAB41B-1307-4596-8A2E-11BF8C1A2330@cisco.com> <BYAPR14MB31763782200348F502A70DA4D7F30@BYAPR14MB3176.namprd14.prod.outlook.com> <SN6PR02MB4512B95842251AE4C04B199CC3F30@SN6PR02MB4512.namprd02.prod.outlook.com> <BYAPR14MB31765FD24F4DFD90F81AEE2BD7F30@BYAPR14MB3176.namprd14.prod.outlook.com> <SN6PR02MB4512CBA9E4BF6AAC778BC674C3F30@SN6PR02MB4512.namprd02.prod.outlook.com> <DM6PR14MB31789349B737961728B7691ED7F30@DM6PR14MB3178.namprd14.prod.outlook.com> <CACsn0ckvoqZ5-JPRkOXp2Mw2zeTOdyCYLvX1NV1waJ-yidTwMQ@mail.gmail.com>
In-Reply-To: <CACsn0ckvoqZ5-JPRkOXp2Mw2zeTOdyCYLvX1NV1waJ-yidTwMQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=att.com;
x-originating-ip: [45.18.123.63]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2cd783ea-efa1-49ce-de6f-08d897ad3cb9
x-ms-traffictypediagnostic: SA0PR02MB7225:
x-microsoft-antispam-prvs: <SA0PR02MB7225951C744D7AD878C42F68C3F20@SA0PR02MB7225.namprd02.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: BVf4Je5aWxU0TjnTOw8wTcTHxPSDl47nFIE179SL5+x/vlkDAT5R13SF419sBjQAROybMhi/+Sf25ZiEhz1VKl5SUgse5qHW329snmdxXLeLS+hMBoxhlplynjtX1lEMKNbSeMyAVUv0cHDcYw1nToyEqNHcXsvKNB6fTQtr7bdVge456t47MnPq6i3i2A8YMpifhfhKi+dJrYaqpA+hAbU8SWxVAEKL0YXvrhHyggc6jN0WvDtYRL0yZWMU6ZKi2Wsl6MJ7CWUkJEvv3Uxx55xGUGcL8ukh0M2+5E820sKQ6EgZMaE5EIz0BrGIwWQLORYkPwyikq5jTPdhpNuOpg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR02MB4512.namprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(376002)(39860400002)(136003)(366004)(396003)(8676002)(5660300002)(55016002)(86362001)(478600001)(83380400001)(186003)(26005)(52536014)(4326008)(2906002)(64756008)(33656002)(82202003)(66946007)(110136005)(66446008)(66476007)(66556008)(71200400001)(76116006)(9686003)(54906003)(8936002)(6506007)(7696005)(316002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?M3RMQldZRFBUdzdRRmFzQ2dBdUJOeFR5anNQQksyOEg1MlFDQ2FYNkVHTGVQ?= =?utf-8?B?QVNMRnBPT3ZGbW5ERzBWakk0NnRWOEVFNU1XSzVIa3I5MUtRa3FydnFHSUYr?= =?utf-8?B?WkdDcGVidjFNTzdqdGZrTUFiVkJTN0NjYjl0WlhRNUFodWpaL0Fla1ExdzJy?= =?utf-8?B?ZWdRY1M4ZFZGSEZ0czA4WThtekFyQkJnTG9lNWs0YjF2ekJwWnZ3cHZNOWxL?= =?utf-8?B?aHlHNVB6L0pFVVpnbzBQOGgzVk5VWGFaWFFLb1prSDJ3bk52WVRYcnNmQTFQ?= =?utf-8?B?UFFNZm5QU2VUSEVJYVZ4VEttUWpiaEtJcnZOT3oxYVk1Qkdjb1gzV2VBclFU?= =?utf-8?B?cStvL0x5UFpudDJWWTFOWTQ4Tm82ZkdSTmltWSsraHpNVGdkR0VOZ1hWeHox?= =?utf-8?B?T0JiRnUzMmFuUnEvdDJwWk51VTdPVkc3WGMyQm9lQmlwOTNFQWZOcWpwb2cz?= =?utf-8?B?OXoyYUowWFE2eitBL1M3YW03WWh4V2NkRWlXay9MYU56RXZ1OGVXcURrU0Rn?= =?utf-8?B?S1dOR2xHMUdmZ2RwZEZLRmNqc01MNzFQbWE5RURFN0Q2SWpKRkdESHgxeGhh?= =?utf-8?B?QUsvMlQwV25zUU1VK1NBMEg3R1o4dTNwWWZJSEVucExYM09TQkpJMnRPOXFm?= =?utf-8?B?TWM3QVpLdmZSeVhPODdaQ3lORytTSHZtckhyVWliVysrbEJzU2Z0Sm1RcUFL?= =?utf-8?B?eFUxVnErUXJCR1RNQVh5UUZsckF3dkFLSk1FdndJNHN2MGlJeWxNbW8xTjNU?= =?utf-8?B?MHlEZ3I1SGFNdUxoZnlJSm54Tk44QUJjQzJSZitYYTFKdjNtekFicmV0ZUFi?= =?utf-8?B?UjhOVWcvNjhuZnBsS1pmTVpwUW55QktMK3NHNDBZU0R3emUxQUppZGtLOGZJ?= =?utf-8?B?cmxxdWJKRFU4SG02bytTNWR3WXl5dUtzRTJ6NENuMDlJd212Q3J0TTg1VjRp?= =?utf-8?B?SVdaVE13VVRIVlNlSzgrandYaVdtVmt6c1lQZG5GTjVhdzI4b3o0KzNkMlB1?= =?utf-8?B?U0ZIWnBhSXNES2U5cXYwTGliNWFPaHZjd2xtVDcydis0YmNxanZtWjdhY29p?= =?utf-8?B?QkVzWW15L2tnMDMwUXh6K3NjRk0yaXFCaWZOK2hnMlJzNSs5MTJmenZZazV5?= =?utf-8?B?Wkx0dDFTcmRhdnpTQzRMZEl6dHBWcU9vQS8rZVVXeEpCK3FFTkFkYTdQNjFS?= =?utf-8?B?YS9wdUF3bUZJdkFubis5dDlmcDgybFRiNm5aZ2RmUWt2OHVrb1dyVlhrMlND?= =?utf-8?B?MWEvR1RSanp5cVkya0VxK0xpbTIwdHRuU1dCZi9XbjYybm40bjZIcVd4M2tZ?= =?utf-8?Q?/W9L2k0EL8lug=3D?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SN6PR02MB4512.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2cd783ea-efa1-49ce-de6f-08d897ad3cb9
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Dec 2020 17:02:37.5256 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: e741d71c-c6b6-47b0-803c-0f3b32b07556
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: PZxyWC0KaazDUoU9PszE1bmz6QjHPCKovyNTe7MjpNKPdr86J+LGJFVoqX2c2rvK
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR02MB7225
X-OriginatorOrg: att.com
X-TM-SNTS-SMTP: 063E0DECA71D78B3C0A83E6B6700473F58084A361A26C4A111DC96770DD2DBFA2
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312, 18.0.737 definitions=2020-12-03_09:2020-12-03, 2020-12-03 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 impostorscore=0 priorityscore=1501 adultscore=0 mlxscore=0 bulkscore=0 malwarescore=0 clxscore=1011 lowpriorityscore=0 phishscore=0 mlxlogscore=999 spamscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2012030100
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/HqjR9I5-yyOESdjKXRiBnVPFEDo>
Subject: Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2020 17:03:09 -0000

Ow! Mike is my friend. Don't go dissing my friend!

I think the problem in communication we've just experienced is because Mike strayed away from Last Call discussion on a specific document, to asking/discussing a more general question of how IETF can better communicate with enterprises and perhaps even engage with enterprises to make it easier to operationalize protocols inside enterprise networks. I didn't see Mike suggesting any changes to the draft in Last Call, relevant to this question. ?

I'd like to suggest that maybe we could discuss this a little more on the ietf list? But not here.
I'll see what happens if I start a thread over there (ietf@ietf.org) ...
Barbara

[Let me drum up my courage first. Thinking about posting to that list is much more stressful to me than, for example, thinking about bungie jumping off the Macau Tower -- an experience I highly recommend.]

> > Barbara,
> > Thanks.
> > And I think I was aware of all you state below regarding TLS, and apologize
> for any related confusion regarding IPv6, even though, for the purposes of
> my comment, they are similar.
> >
> >
> > I don't disagree with anything you say on the TLS subject,  which is
> essentially that prior versions of TLS may be considered insecure, etc.  and
> should be deprecated.....
> 
> Shouldn't we publish a document saying that? It seems this would
> represent consensus, even your view of the issue.
> 
> >
> > My associated point is that Enterprises are generally not aware of this and
> that it is not currently on our Planning or Budget Radars.
> 
> 
> TLS 1.2 has been around for how many years? All versions of OpenSSL
> without support have been EOL for some time. How many other CVE remain
> to be found in them? FIPS, PCI etc are all very clear that old TLS is
> going away. Browsers have supported TLS 1.2 for years. So has Windows.
> This depreciation should be easy given the extent of support for TLS
> 1.2.
> 
> I bet that most services you run are already using TLS 1.2 or even 1.3
> because the client and server have been updated.
> 
> > Further, this means we are potentially years from effectively and
> operationally addressing such issues.
> 
> Let's be about it.
> 
> >    And we must do so in conjunction with Partners, Clouds, Clients and
> others.
> > And my general, overall point is that the answer to addressing the above is
> to find way(s) of making Enterprises aware and possibly assisting with
> methods of addressing.     I think I also said this  problem is not unique to TLS
> or IPv6.      More, it is a lack of understanding of how things work within
> Enterprise Networks and the lack of Enterprise engagement in Standards
> Development processes.
> > And finally, this may not be a gap that the IETF should care about or
> address, but someone should, IMHO.
> 
> Your argument against the current text seems to be the following: we
> have a problem. It is inconvenient for me that you will ask me to deal
> with the problem. Therefore I would like the problem to not be
> acknowledged.
> 
> Perhaps I am being too uncharitable. But I fail to see how softening
> the language eases depreciation, or what the consequence you fear
> happening are. You're free to continue ignoring the RFC series. But
> reality does not go away if it is ignored.
> 
> Sincerely,
> Watson Ladd
> 
> >
> > Thanks
> >
> > Mike