Re: [TLS] Publication has been requested for draft-ietf-tls-oldversions-deprecate-05
John Mattsson <john.mattsson@ericsson.com> Sat, 05 October 2019 12:32 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9952C1201DE; Sat, 5 Oct 2019 05:32:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XJ67AD5DO6Kq; Sat, 5 Oct 2019 05:32:08 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130083.outbound.protection.outlook.com [40.107.13.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 671C712016E; Sat, 5 Oct 2019 05:32:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ChDCgxdOq2MEzizf8cgK9zKSA3dp0wG7p+dC+vJ/fQSuB6wi0stc7gOcyhMCFrMaLReCOvQh3+24rzqcxMVOpvropBw47kHeRsb4q8xEOVwuGFlABaDJHCuJ2/YwKUFCgaQ244WNwWDqU7rLk7Z3z+Ipj4qFTMuSBX+lB+3tU5xBLjcPIUoOe826I6Ac1cLEBwD7CjiIhbk89eZX2dZuFvbxBydM9Z4gIAoAjUGmpxFUsY6O2vtBo6b7MWte7J2ZAC7DcBciJSsmiHwnnnXEoqbyEVXFtWkT2syRGOqcxIwL5EyVqEnL7BJ/99cb66SotB49XsO73AjCJ4Iu5aUkZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VJ77zHms5YfDvim4lJ4yWnE6uYxFOKj6OHVVwVdOE30=; b=FRjKFwozZMZVDYT9pzkTqbbX4Y1gDhmZBZ8NnymGvMp9+s4qec43737It+F7Q15JJc8vlDmNTLy6UNq7IExkX3VEiRUuNeJqd87IFtPeE2o4ByyHE+RCw/KX+CFT/G4KnwSnmKR76EI4otjkqmEA5FjKdLZamoMJpAObzmflOIwCWJtPXZyRg8E3xaD1Jh0eUZSY3FK/Ig2eGseN2/M7oRsFFDnx8jgytzknIcfP/3l9qoXnm8GL+ABIC+U7eVzoT0jGgw4RS74BbVtQS+xM5Xn2ohoMvm2WqD69gwE6BDra1uJk88ZIQD5T660VdcEm6wF3uPUilejh9XgcNr063A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VJ77zHms5YfDvim4lJ4yWnE6uYxFOKj6OHVVwVdOE30=; b=UDElDmUPhSfFEx1z+SFNsRmwY1EMPmPhkvqP9TLO2p2hA4U4eTG79+REsG1ANodKQ1kY4djN2V1P5eCQB92bXcakryFupnbH/7KbGHliltHkxDrzWpFJvg3alszVYyu7Q/2QpQEqGq3sz/tt4KpvKJ5XzQmESzH8FKzmc0F9PUg=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.165.153) by HE1PR07MB3260.eurprd07.prod.outlook.com (10.170.247.152) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2327.7; Sat, 5 Oct 2019 12:32:05 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::c8fb:acc1:b00e:84ef]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::c8fb:acc1:b00e:84ef%6]) with mapi id 15.20.2327.021; Sat, 5 Oct 2019 12:32:05 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Sean Turner <sean@sn3rd.com>, Sean Turner via Datatracker <noreply@ietf.org>, "tls-chairs@ietf.org" <tls-chairs@ietf.org>, IESG Secretary <iesg-secretary@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Publication has been requested for draft-ietf-tls-oldversions-deprecate-05
Thread-Index: AQHVLbNwka9w/WHllUqjsaoZBuXNvKdGI6+AgACqmwCAAR2pgIAAAOyAgAA5OQCAAg8aAIACgrcA
Date: Sat, 05 Oct 2019 12:32:04 +0000
Message-ID: <54213F5A-4778-4B27-8E19-FD581281B110@ericsson.com>
References: <156172485494.20653.307396745611384846.idtracker@ietfa.amsl.com> <989F828F-B427-47A6-A114-4EAEA67D43D7@ericsson.com> <CABcZeBOCzwLDEUyiqkDG0Qqaf652_+j1KBsJQJcJk2Lew_9wCw@mail.gmail.com> <00C5D54E-40C7-4E95-AD2D-9BC60D972685@sn3rd.com> <5bcf3b7c-5501-70f0-4ce7-384f885c39e7@cs.tcd.ie> <6F040DD1-C2E2-4FD2-BB37-E1B6330230BD@ericsson.com> <20191004001142.GF6424@kduck.mit.edu>
In-Reply-To: <20191004001142.GF6424@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1d.0.190908
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [82.214.46.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d8838af5-3483-44b8-14ef-08d7499007c1
x-ms-traffictypediagnostic: HE1PR07MB3260:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <HE1PR07MB326007AFD59FDC338703428089990@HE1PR07MB3260.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0181F4652A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(346002)(39860400002)(366004)(396003)(136003)(13464003)(51444003)(199004)(189003)(4326008)(86362001)(186003)(26005)(66066001)(6506007)(2906002)(76176011)(53546011)(33656002)(5660300002)(2171002)(102836004)(8676002)(44832011)(6486002)(229853002)(25786009)(966005)(478600001)(81156014)(14454004)(81166006)(2616005)(6916009)(6246003)(99286004)(71190400001)(71200400001)(476003)(6512007)(6306002)(486006)(6116002)(446003)(3846002)(58126008)(11346002)(8936002)(6436002)(305945005)(54906003)(36756003)(91956017)(76116006)(66946007)(7736002)(64756008)(256004)(66446008)(66556008)(66476007)(14444005)(316002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3260; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: fT+6QkkNLp07SC2A7VhKGDJxxqiE0XHDjUXvsmckGt4gMwmRwyRKeMbdqRdZ3zw/YTdVhRzyUzrrWsxQviatCc4R0uLXCjcU8Ti5V5AzGwPKcJX5cSoL58/EGTQtlZZAfXrmLUVhmUWkuxyjoifjNotbKIkwidpJAj0ZNZLzCCuUA0egpyn6Ltp+z0Jj0YzNjKm0w8u3FyhswdVeP4lwiW8wiZT7ExQVmQizwKnkX7Kzg67T+51agoP7YEc7AGVsjlCio+UUdpV1IlXJKL8d/VWFEgKqp+Z3AP3smaS5gMnvSgr0SE/GEsqbCVXZYQmBATFZWgLGQih8UPB4HvEBBCldIGZMzRHNrIeZ/oIC5t/i5xDnlqqqDAMUSgxhJesZqTn2TIvmBJRwepd8CmA/LZJqZ0V34Ui4Hm+xB7pkrXyKJZjEInLayMQeY/OrIhDyLyWpBHByZ1OsrSwizaOLfw==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <D2508259D223534FBF81728068FC57BE@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d8838af5-3483-44b8-14ef-08d7499007c1
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Oct 2019 12:32:04.9227 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: eAeAsB0XAnlBe5Dq3Czs3HVkicdlAOEdWZNcYM/zBxX/fYSoKxwexYO+7UETRo4yxdhacYW1SslCRwOVSprTMGulh5UipWRvZIlEoOUGKqc=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3260
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/KSs4rlFMuJ6G8SlVVSfJ68oVEkc>
Subject: Re: [TLS] Publication has been requested for draft-ietf-tls-oldversions-deprecate-05
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Oct 2019 12:32:12 -0000
Benjamin Kaduk <kaduk@mit.edu> wrote: >> That does not surprise me, but I think that is part of the problem. These >> things should mainly be decided by the TLS working group. > >How? Just by publishing BCPs, or is the TLS WG also supposed to (e.g.) >watch IETF LCs and complain about use of old protocol versions? Just by publishing BCPs and standard track documents. Watching out for old protocol versions in other WG’s is not really the TLS WG’s job. Hopefully, everybody in the security area complain if they see use of obsolete versions or weak algorithms. >> "New implementations and deployments MUST include support of the new version". >> >> If this is not clearly defined somewhere, I think it needs to be specified. If it is >specified somewhere, IETF needs to make sure to follow apply it. > >Even supposing everyone agrees on this, there seem to be some fencepost >issues surrounding "new". Is a protocol "new" when it gets published as an >RFC, or at WGLC, or even earlier? I have been pretty laid-back until now >about requiring things coming in front of the IESG to pick up TLS 1.3, >since for the most part they were in progress (including implementations) >before TLS 1.3 implementations were readily available in production-grade >form. It's about time to tighten up on that, since it's been over a year >since RFC 8446, but I'm not sure I fully understand where you want us to >fall across these boundary conditions. I fully agree. There are several boundary conditions here and any best practice can probably not be summarized on a single line. Tightening up requirement of new drafts to support TLS 1.3 now seems about right. There could probably still be exceptions, but they would have to be well motivated. /John -----Original Message----- From: Benjamin Kaduk <kaduk@mit.edu> Date: Friday, 4 October 2019 at 02:11 To: John Mattsson <john.mattsson@ericsson.com> Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Sean Turner <sean@sn3rd.com>, Sean Turner via Datatracker <noreply@ietf.org>, "tls-chairs@ietf.org" <tls-chairs@ietf.org>, IESG Secretary <iesg-secretary@ietf.org>, "TLS@ietf.org" <tls@ietf.org> Subject: Re: [TLS] Publication has been requested for draft-ietf-tls-oldversions-deprecate-05 On Wed, Oct 02, 2019 at 02:45:08PM +0000, John Mattsson wrote: > Hi, > > Sean Turner wrote: > > "You can change the text, but I do not believe it will change the implementations." > > I would much rather have a future proof RFC that forbids negotiation of DTLS 1.0 with the knowledge that some implementations will temporary violate that, than having an RFC that long time in the future allows negotiation and use of DTLS 1.0. > > > Eric Rescorla wrote: > > "result of some pretty extensive discussion and compromising in rtcweb" > > That does not surprise me, but I think that is part of the problem. These > things should mainly be decided by the TLS working group. How? Just by publishing BCPs, or is the TLS WG also supposed to (e.g.) watch IETF LCs and complain about use of old protocol versions? > Draft-ietf-rtcweb-security-arch mandated DTLS 1.0 until Nov 2018. That is > half a year after the "Deprecating TLSv1.0 and TLSv1.1" draft was > submitted and almost 7 years after DTLS 1.0 was made obsolete. Mandating (D)TLS 1.0 is not going to get past the IESG in 2018. We can (and are) try to better communicate our expectations for this sort of thing to the WGs, but it seems unrealistic to expect a 100% success rate from them, since it's usually not the WG's core competency. (See also https://protect2.fireeye.com/url?k=81062a4c-dd8ff05c-81066ad7-0cc47ad93e2a-1e749b7aef6efcb8&q=1&u=https%3A%2F%2Fmailarchive.ietf.org%2Farch%2Fmsg%2Fwgchairs%2Fdfe_5obSQm7YK7JzVbmc-MbXNmU .) > > No matter what is done in this particular case, I think the important thing to discuss is how we avoid drafts that only support obsolete versions of TLS/DTLS in the future. According to my understanding of the comments in the thread "Lessons learned from TLS 1.0 and TLS 1.1 deprecation", both me, Kathleen Moriarty, and Martin Thomson understands obsoleted as: > > "New implementations and deployments MUST include support of the new version". > > If this is not clearly defined somewhere, I think it needs to be specified. If it is specified somewhere, IETF needs to make sure to follow apply it. Even supposing everyone agrees on this, there seem to be some fencepost issues surrounding "new". Is a protocol "new" when it gets published as an RFC, or at WGLC, or even earlier? I have been pretty laid-back until now about requiring things coming in front of the IESG to pick up TLS 1.3, since for the most part they were in progress (including implementations) before TLS 1.3 implementations were readily available in production-grade form. It's about time to tighten up on that, since it's been over a year since RFC 8446, but I'm not sure I fully understand where you want us to fall across these boundary conditions. -Ben
- [TLS] Publication has been requested for draft-ie… Sean Turner via Datatracker
- Re: [TLS] Publication has been requested for draf… John Mattsson
- Re: [TLS] Publication has been requested for draf… Kathleen Moriarty
- Re: [TLS] Publication has been requested for draf… Stephen Farrell
- Re: [TLS] Publication has been requested for draf… Eric Rescorla
- Re: [TLS] Publication has been requested for draf… Sean Turner
- Re: [TLS] Publication has been requested for draf… Stephen Farrell
- Re: [TLS] Publication has been requested for draf… John Mattsson
- Re: [TLS] Publication has been requested for draf… Benjamin Kaduk
- Re: [TLS] Publication has been requested for draf… Cullen Jennings
- Re: [TLS] Publication has been requested for draf… Rob Sayre
- Re: [TLS] Publication has been requested for draf… Eric Rescorla
- Re: [TLS] Publication has been requested for draf… Rob Sayre
- Re: [TLS] Publication has been requested for draf… John Mattsson
- Re: [TLS] Publication has been requested for draf… John Mattsson
- Re: [TLS] Publication has been requested for draf… John Mattsson
- Re: [TLS] Publication has been requested for draf… Benjamin Kaduk
- Re: [TLS] Publication has been requested for draf… Eric Rescorla
- Re: [TLS] Publication has been requested for draf… Eric Rescorla
- Re: [TLS] Publication has been requested for draf… Rob Sayre
- Re: [TLS] Publication has been requested for draf… Rob Sayre
- Re: [TLS] Publication has been requested for draf… Stephen Farrell
- Re: [TLS] Publication has been requested for draf… Sean Turner
- Re: [TLS] Publication has been requested for draf… Rob Sayre
- Re: [TLS] Publication has been requested for draf… John Mattsson
- Re: [TLS] Publication has been requested for draf… Stephen Farrell
- Re: [TLS] Publication has been requested for draf… Benjamin Kaduk
- Re: [TLS] Publication has been requested for draf… Daniel Migault
- Re: [TLS] Publication has been requested for draf… Rob Sayre
- Re: [TLS] Publication has been requested for draf… Eric Rescorla
- Re: [TLS] Publication has been requested for draf… Eric Rescorla
- Re: [TLS] Publication has been requested for draf… Rob Sayre
- Re: [TLS] Publication has been requested for draf… Eric Rescorla
- Re: [TLS] Publication has been requested for draf… Martin Thomson
- Re: [TLS] Publication has been requested for draf… Rob Sayre
- Re: [TLS] Publication has been requested for draf… Eric Rescorla
- Re: [TLS] Publication has been requested for draf… Rob Sayre
- Re: [TLS] Publication has been requested for draf… Benjamin Kaduk
- Re: [TLS] Publication has been requested for draf… Rob Sayre
- Re: [TLS] Publication has been requested for draf… Benjamin Kaduk
- Re: [TLS] Publication has been requested for draf… Rob Sayre