[TLS] Re: Adoption call for TLS 1.2 Update for Long-term Support
Yaron Sheffer <yaronf.ietf@gmail.com> Fri, 22 November 2024 13:37 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBE7BC1D6FD1 for <tls@ietfa.amsl.com>; Fri, 22 Nov 2024 05:37:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.008
X-Spam-Level:
X-Spam-Status: No, score=-2.008 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TsWCdRhoM--v for <tls@ietfa.amsl.com>; Fri, 22 Nov 2024 05:37:25 -0800 (PST)
Received: from mail-wm1-x32e.google.com (mail-wm1-x32e.google.com [IPv6:2a00:1450:4864:20::32e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A7B2C1D6FC5 for <tls@ietf.org>; Fri, 22 Nov 2024 05:37:25 -0800 (PST)
Received: by mail-wm1-x32e.google.com with SMTP id 5b1f17b1804b1-4315e62afe0so19525245e9.1 for <tls@ietf.org>; Fri, 22 Nov 2024 05:37:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1732282644; x=1732887444; darn=ietf.org; h=content-transfer-encoding:to:references:message-id:in-reply-to :thread-topic:subject:from:date:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=2NXVcvSmrX33NHsFhzel0370BB2sxPT9pY+ZwSihE50=; b=Yk0QKxxns1DdDROjxvyQE/bju5SdMx/Ig1oDDcg7dSq7DmhZxCi+U1bHGgQ1lTnK1c Oa57RncrOsKEj/fJuaBhDU4QBdgcgcrP8NXOpxovSpC9QmhomzhbEP/WQtwW5sSZ4d4J OgnR8gEnR2jxenc/8qoigGx2rRMDd/bs0lwxSR1i8togsd24MQn6uA/mTPWUao1yYGO7 e/0B2Zc595fNZJUB7b4o1XnewuW4w14510EeA/k6icTaj3AKD0Xvl/6rMe92UwElmnj3 z0HCYZ907NmfO/MM/d1o/30Ki4MzRlnt6TZTdcMz7EPale71w9k95HnSIX7FK5q1s7T9 DWpw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1732282644; x=1732887444; h=content-transfer-encoding:to:references:message-id:in-reply-to :thread-topic:subject:from:date:mime-version:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=2NXVcvSmrX33NHsFhzel0370BB2sxPT9pY+ZwSihE50=; b=kIe25nwU19FSJcYVbyXW5ei4vmo1TpGmXtwb6+rLW9ymieEgHbFXO6HqTQylpDCb8j xB6doIqdMM3D98FlZRMa3FRH9bVHGbs7xah2/hAz5PE0KP0e0f2BZNBWio6d5znFjkHm P0T07b/X9bcJKvVYtVs6TSUUsXCUEkjtM40wMhgaAls53UzSVZHVN0SAINjuP4RE76CC dQeN4+ndQl13JAeRTss9+/QfXB/W+4I4paHq0brhDIFBpPUFxyfL6wm7wgHQ7Lxvdwp7 aKX6zR6t0zpvRKoDmDDiMjlmwCltBpg9+PkF4XkbIczTF+MuPKuYKWmO5lyefyfweDLn flcA==
X-Forwarded-Encrypted: i=1; AJvYcCUOQR8btF2B+/ifghIP1exzsZ4hdLW2Gt8evt09lHJm2dwG85q8i5E0OAnMsTd/xhcCdQk=@ietf.org
X-Gm-Message-State: AOJu0YyrHaKmFVD8kdwm3mgqXXU3VVSPvLjt6jN3CxUPViTQXzjWrobe jm2oAMumcTORVC/nRCbkY29vNTNMEs2RL2ixM4dFoWAqVLXeYkXu
X-Gm-Gg: ASbGnctKOT02V+mAyAd3IGheMQKRPSOp1khmnHGtRlv37NgZrkyU8ADEOLdueX9lYGX TqKWF2jWrbUWblT2KKALxJNUoMGfcADBk6Vc5yIVZTQxRhDpDeG4HMnYVMfHR0Gcq12q3HbbQK1 5gzX4C3iuGz58kusLjcKwrBtOXaUBNZJssTtdlrd7mK7tG7Xra9BXn/Xc3w4sO961+G4RRSPaYJ gOS+1XTRGSJs2N8vcHQYZmWKOQ42kUPxXchpYvTGrdcfGFiDugO8YQVYdtRYZQLxuPoD2fsewu5 ySP/PDWGmXKqYcoFFtXGu/aUww==
X-Google-Smtp-Source: AGHT+IEmiw4sfw9A3RwoItaIsGHeTFP9WYTc9qH3wkLVstW2Zjm5XkoRiCWvBzSKf4O/Y9dDdGXySA==
X-Received: by 2002:a05:600c:1d90:b0:432:7c08:d113 with SMTP id 5b1f17b1804b1-433ce41017emr22583435e9.6.1732282643564; Fri, 22 Nov 2024 05:37:23 -0800 (PST)
Received: from macos-F7LQR2FV6V (IGLD-84-229-146-74.inter.net.il. [84.229.146.74]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-433cde1754csm27391575e9.25.2024.11.22.05.37.22 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 22 Nov 2024 05:37:23 -0800 (PST)
MIME-Version: 1.0
Date: Fri, 22 Nov 2024 15:37:19 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
Thread-Topic: [TLS] Re: Adoption call for TLS 1.2 Update for Long-term Support
In-Reply-To: <ME0P300MB0713FDE4AAA6BB169D676391EE232@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM>
Message-ID: <1A650921-0180-864F-A50B-E385FAC59653@hxcore.ol>
References: <278163DF-0CB8-472F-84CB-0B8236FEC7C1@sn3rd.com> <231D5F24-E1AE-4F7C-9860-F6B0FF79D6FF@akamai.com>,<CWXP265MB5153A14B88F7E5CC94E9BF9AC2212@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <67DD955A-3D13-E04F-9398-F5B37786F79A@hxcore.ol>,<ME0P300MB0713FDE4AAA6BB169D676391EE232@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, Andrew Campling <andrew.campling@419.consulting>, "Salz, Rich" <rsalz@akamai.com>, Sean Turner <sean@sn3rd.com>, TLS List <tls@ietf.org>
Content-Transfer-Encoding: base64
Content-Type: text/html; charset="utf-8"
Message-ID-Hash: 57SHXU4RY7K63Z4NH5JD3PRHHUOQSHVU
X-Message-ID-Hash: 57SHXU4RY7K63Z4NH5JD3PRHHUOQSHVU
X-MailFrom: yaronf.ietf@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Adoption call for TLS 1.2 Update for Long-term Support
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/IlxYA7CImFDqUaf8dGscwC0xFIg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Hi Peter,
Just to put matters straight, the predecessor of RFC 9325, RFC 7525, was published in May 2015. But that doesn’t matter a whole lot now.
My point was much broader though: the IETF is sending deployers a bunch of mixed messages, and this is on us as a community.
RFC 9325 basically tells them: we prefer that you switch to TLS 1.3, but if you absolutely cannot do that, here’s how you can configure the existing TLS 1.2 and be secure (as of the time of publication).
TLS-LTS sends a whole different message of course.
And then the working group keeps nibbling at TLS 1.2 with documents like draft-ietf-tls-deprecate-obsolete-kex and the earlier “deprecating” documents. The KEX document does mention RFC 9325 at one point but does not say explicitly which of its requirements are new, making it hard for implementers to navigate our recommendations.
Thanks,
Yaron
On 22/11/2024, 12:06, "Peter Gutmann" <pgut001@cs.auckland.ac.nz> wrote:
Yaron Sheffer <yaronf.ietf@gmail.com> writes:
>Specifically, RFC 9325 [1] published a mere two years ago is not even
>referenced in the draft, let alone a comparison made with these deployment
>recommendations that were made by the very same IETF. (Yes you can hear my
>frustration coming through).
In defence of the -LTS draft, RFC 9325 postdates it by six years, so there
wasn't anything to reference at the time. I'm also not certain how much
overlap there is between the two, for example 9325 contains quite a lot of
stuff (older TLS versions, compression, DTLS, fallback, RC4, NULL cipher
suites, RSA key transport, etc) that has no bearing on what's in -LTS which
means it could cause confusion if someone tries to apply it to things that
mostly don't exist in -LTS.
Having said that, now that my attention has been drawn to it :-), I'd be happy
to include a note along the lines of "further advice on secure use of TLS may
be found in RFC 9325", it would certainly fit in with what -LTS is trying to
achieve.
Peter.
- [TLS] Adoption call for TLS 1.2 Update for Long-t… Sean Turner
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Sean Turner
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Rob Sayre
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Alicja Kario
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Salz, Rich
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Thom Wiggers
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Peter Gutmann
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Peter Gutmann
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Viktor Dukhovni
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Christopher Wood
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Watson Ladd
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Richard Barnes
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Martin Thomson
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Peter Gutmann
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Alicja Kario
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Sean Turner
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Nick Harper
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Arnaud Taddei
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Eric Rescorla
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Peter Gutmann
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… David A. Cooper
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Peter Gutmann
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Andrew Campling
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Yaron Sheffer
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… David Benjamin
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Peter Gutmann
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Peter Gutmann
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Yaron Sheffer
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Andrew Campling
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Watson Ladd
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Salz, Rich
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Andrew Campling
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Watson Ladd
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Rob Sayre
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Peter Gutmann
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Salz, Rich
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Peter Gutmann
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Rob Sayre
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Salz, Rich
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Watson Ladd
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Alicja Kario
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Salz, Rich
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Watson Ladd
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Salz, Rich
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Watson Ladd
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Rob Sayre
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Pascal Urien
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Sean Turner
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Stephen Farrell
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Muhammad Usama Sardar
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Yaron Sheffer
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Peter Gutmann
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… David A. Cooper
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Peter Gutmann
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Bas Westerbaan
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… David A. Cooper
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Watson Ladd
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… David Benjamin
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Peter Gutmann
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Sean Turner
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Rob Sayre