IETF Logo Mail Archive

Re: [TLS] Publication has been requested for draft-ietf-tls-oldversions-deprecate-05

John Mattsson <john.mattsson@ericsson.com> Sat, 05 October 2019 13:12 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C98E12006A; Sat, 5 Oct 2019 06:12:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kuDExwNcXVy3; Sat, 5 Oct 2019 06:12:46 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80070.outbound.protection.outlook.com [40.107.8.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA18A12003F; Sat, 5 Oct 2019 06:12:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ho6eeJKDKg+8EwuiNWPTF6H5Xl+Bs0kxAE54JiQJSRLAfz//rGNubp7/duNDdM7ViQY9ipbfKpOic5fOiA9KbhTyPANbYcLffmu4/VQ8PhB7dhGxrdHyjjmDPwkeXjGZvi0hxNQEcw8jm2E1SnHkNRzpdN6AJV1ihDoEvb8tKeuXSTZBIKdXl1kNKePiK2ldVRdgqSayC1/TfePBzi3alkDvkn0fwE1T3lN/ZEsxY2IerTum3bPrSm7SGSoVQ6tzLi+yHyWlkSMlh0dL9QSjOOywOYcycPgDGaAiduDxQJLcxuQvsecPOg4wU3JQeJiqI+dMsQemDma/wfRYLCCgDQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=i2L6/J+i+2a7IDr9GoEJzIYQd1wNXuPuiLWdUOhi8eY=; b=bvhKgFm7//dLLX/SvCJhaji3M6Ty7VKHGLya4/GQwxf8DORG9OiSwDHFXPMnSTz9ge+aiyKizLIT2s7cJTU2romz1Shxvg9U4QGdq5KLzEAqJ6rceifGMYAJqYdnRRvjgMvdLazJkwkfFHaPdf8FQTNDRhzUfcDWMRosDeTBxUhtZeVYvTzERbKNj4ZHToE4dOI1910n3+S+cf7W8gt+ouXcacvyPZwcZDMX09OXcCVMu2UbQA9EhvJ/L9+VzUhxl5V81ugHrsEz/V9XtxBoO/pt0NlnN/sEJ2M68ulXQcC/AbWnFDkxg/6LahOJey5a45QLfJnqJ21Gvwkm+oumjw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=i2L6/J+i+2a7IDr9GoEJzIYQd1wNXuPuiLWdUOhi8eY=; b=P/nI+7el9kTOcTJVlF2ALFgVcIKaliDasdxTTw6s3EXXAZr89JLxvmIznWLe2qpkvfO/ZJ3ZzW0W6c91eueXEibM7VySX6iFhRsKJGL9BqZ3BBeqgihXpzdQmWyqb5gezHhRBhQLepghwQYmUam/9kxyLP4cWmfFgmXNUiWn9Gc=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.165.153) by HE1PR07MB3132.eurprd07.prod.outlook.com (10.170.242.146) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2305.15; Sat, 5 Oct 2019 13:12:42 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::c8fb:acc1:b00e:84ef]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::c8fb:acc1:b00e:84ef%6]) with mapi id 15.20.2327.021; Sat, 5 Oct 2019 13:12:42 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Rob Sayre <sayrer@gmail.com>, Eric Rescorla <ekr@rtfm.com>
CC: Cullen Jennings <fluffy@iii.ca>, "tls@ietf.org" <tls@ietf.org>, Sean Turner via Datatracker <noreply@ietf.org>, IESG Secretary <iesg-secretary@ietf.org>, "tls-chairs@ietf.org" <tls-chairs@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>
Thread-Topic: [TLS] Publication has been requested for draft-ietf-tls-oldversions-deprecate-05
Thread-Index: AQHVLbNwka9w/WHllUqjsaoZBuXNvKdGI6+AgACqmwCAAR2pgIAAAOyAgAA5OQCAAvjIAIAACdKAgAABSgCAAALPgIABlngA
Date: Sat, 05 Oct 2019 13:12:42 +0000
Message-ID: <0744E7F3-B4D0-4935-8601-DB4D45DCACCB@ericsson.com>
References: <156172485494.20653.307396745611384846.idtracker@ietfa.amsl.com> <989F828F-B427-47A6-A114-4EAEA67D43D7@ericsson.com> <CABcZeBOCzwLDEUyiqkDG0Qqaf652_+j1KBsJQJcJk2Lew_9wCw@mail.gmail.com> <00C5D54E-40C7-4E95-AD2D-9BC60D972685@sn3rd.com> <5bcf3b7c-5501-70f0-4ce7-384f885c39e7@cs.tcd.ie> <6F040DD1-C2E2-4FD2-BB37-E1B6330230BD@ericsson.com> <149BDA3C-14CF-459F-90D4-5F53DBEF9808@iii.ca> <CAChr6Sx4AVjkoKWiD2-cT2ZBNg=mKzeOX603gVs0f7vQ_FgN7A@mail.gmail.com> <CABcZeBNOVOBifOSnWdxSDTLizUUUn6ctLrBT43CHK+4B7KWGiQ@mail.gmail.com> <CAChr6SzT3GqmidPbmVjmrZX=u1UpBee4e8K2C-zHuNHEqgB7uQ@mail.gmail.com>
In-Reply-To: <CAChr6SzT3GqmidPbmVjmrZX=u1UpBee4e8K2C-zHuNHEqgB7uQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1d.0.190908
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [82.214.46.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e63cda7c-5312-4035-0453-08d74995b4c7
x-ms-traffictypediagnostic: HE1PR07MB3132:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <HE1PR07MB31325B3405F7EC679329096489990@HE1PR07MB3132.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 0181F4652A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(376002)(346002)(396003)(39860400002)(366004)(199004)(189003)(6436002)(76176011)(186003)(236005)(6512007)(6506007)(7736002)(6486002)(6246003)(54896002)(6116002)(102836004)(11346002)(486006)(53546011)(446003)(99286004)(2616005)(476003)(44832011)(4326008)(66556008)(229853002)(2906002)(33656002)(5660300002)(26005)(81166006)(8936002)(36756003)(81156014)(54906003)(256004)(3846002)(790700001)(66446008)(71190400001)(316002)(110136005)(8676002)(6306002)(86362001)(478600001)(25786009)(66066001)(58126008)(606006)(76116006)(91956017)(14454004)(66476007)(71200400001)(66946007)(64756008); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3132; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: FEBpHb7S0RG8A43J0n2k6jPSf/1EIhZYaLubA6xA2pjdtDuPMxdWgGsniDrgNvd2oBFrBXsF7mBbN794d+mV+J5rbn+Zd27W2Gd6DkTXjRMDt3akYRmyGsWbHrR8qQqdvEhyDCmavQ8YNiJhp/4FlQtMrVeNiK/xySa21S5Hs7T5Rp1A/3yoa+TeekXYhv+VGTJsT8QjGVqesgOTMns6iZI4UYZOJ39UvDGPyLcueA/whFFuf9PU9bDc5Sa0MlSjHTxaFPRspyFMR3GoOZjpGdpVabrP3S1RwgC2Oev3Z0z6RUS9cHIvWCQEcwdGacdEKiW3RS4ayI5UhTx7Edci1S3BDEhpEVHzETHaSPPyu1D6L+JyWk7nu6R+fmuhiLpwOtVIghsWOLKSXhBx/zhQ6u/mv0NTk1AhlqASmWSP2o/tDfQpalOWYhIAfXXoQv2vNU+rzFNHOBLARTTS8JnB6A==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_0744E7F3B4D049358601DB4D45DCACCBericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e63cda7c-5312-4035-0453-08d74995b4c7
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Oct 2019 13:12:42.5952 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: IaS873tbqDiWF66OowrQ2Nz+xv49JfSD956mATXmG9bVCYExO05UQlKe9EVDxHOWpZ3HP6rx4lHsISqy98e87i1GOcGgIVpma7OxFYPaVvo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3132
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/KNuVKHqv2X0Tfokfukc0t0NLYWI>
Subject: Re: [TLS] Publication has been requested for draft-ietf-tls-oldversions-deprecate-05
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Oct 2019 13:12:49 -0000

Rob Sayre sayrer@gmail.com wrote:

"Is there some data behind this?

I agree with Rob, it would be interesting to get some data on why webrtc need to continue to negotiate and use DTLS 1.0. It would also be interesting to know for how long time webrtc plans to continue negotiate and use DTLS 1.0.

EAP-TLS also have legacy devices that do not support TLS 1.2 and in practice some EAP servers will probably continue to negotiate TLS 1.1 for a while. Still, the EMU WG agreed that the upcoming BCP forbidding use and negotiation of TLS 1.1 was the right thing to do as it puts increased pressure on implementations to improve.

Cheers,
John

From: Rob Sayre <sayrer@gmail.com>
Date: Friday, 4 October 2019 at 16:58
To: Eric Rescorla <ekr@rtfm.com>
Cc: Cullen Jennings <fluffy@iii.ca>, "TLS@ietf.org" <tls@ietf.org>, Sean Turner via Datatracker <noreply@ietf.org>, IESG Secretary <iesg-secretary@ietf.org>, "tls-chairs@ietf.org" <tls-chairs@ietf.org>, John Mattsson <john.mattsson@ericsson.com>, Benjamin Kaduk <kaduk@mit.edu>
Subject: Re: [TLS] Publication has been requested for draft-ietf-tls-oldversions-deprecate-05



On Fri, Oct 4, 2019 at 9:48 PM Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>> wrote:


On Fri, Oct 4, 2019 at 7:43 AM Rob Sayre <sayrer@gmail.com<mailto:sayrer@gmail.com>> wrote:
On Fri, Oct 4, 2019 at 9:08 PM Cullen Jennings <fluffy@iii.ca<mailto:fluffy@iii.ca>> wrote:

I do not think you have consensus for that change to WebRTC - it was discussed extensively. ...

 While that may be true, readers of this list might want to read a rationale, rather than just the results of a negotiation. Is there a rationale somewhere?

It seems strange to put DTLS 1.0 (based on TLS 1.1) into new documents.

A few points.

1. It doesn't pull it in. There's no reference and there's just an informative statement.

Shouldn't there be an informative reference?

2. There is a rationale. In fact, the relevant text pretty much is all rationale.

   All Implementations MUST support DTLS 1.2 with the

   TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite and the P-256

   curve [FIPS186<https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-20#ref-FIPS186>].  Earlier drafts of this specification required DTLS

   1.0 with the cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, and

   at the time of this writing some implementations do not support DTLS

   1.2; endpoints which support only DTLS 1.2 might encounter

   interoperability issues.

Yes, I read this section and I was wondering what the rationale was for the text: "endpoints which support only DTLS 1.2 might encounter interoperability issues." Is there some data behind this? I'm not suggesting a change in the draft without more information, but I do wonder how the WG came to agree on this text.

thanks,
Rob

v2.23.0 | Report a Bug | By Email