Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1.1"
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 02 May 2019 16:58 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E81F4120470 for <tls@ietfa.amsl.com>; Thu, 2 May 2019 09:58:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZYC0ESh3QROn for <tls@ietfa.amsl.com>; Thu, 2 May 2019 09:58:51 -0700 (PDT)
Received: from mail-ot1-x336.google.com (mail-ot1-x336.google.com [IPv6:2607:f8b0:4864:20::336]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AB6B120486 for <tls@ietf.org>; Thu, 2 May 2019 09:58:51 -0700 (PDT)
Received: by mail-ot1-x336.google.com with SMTP id d24so2707081otl.11 for <tls@ietf.org>; Thu, 02 May 2019 09:58:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OcHoVEb0OH1tbuaiDPoIdXmoeMmFPEQNI9uMXzbslwM=; b=LrruMnLmv2JMTxTq03QCe+DDBbKcdRdKg+40Uy3pXFDUpG7XJgtEFwLicCdJn2F7Nw fF0pcH6A+JJw3KSamSWXrFx+kRKWB1puYL0kcrF8N5QgL8lw39Y+fOLTQ/ZYH0/Y20VI xgSyAYTrG2hys6rg0TTlJrDrEaar3i1IzOF1gFbFT5mxaBCwctG25TtVWX7pEAC/jEae 1JHdgYLRtBNG2R65AJZ2P+jrcs2ghZKC4NjGOE4DA7HkFEvqxg4LiV0sUZ41hqmw+E9z k6UTBqp81fxFtp6GJsOKAKFEwbjJAX1OErUDEegfL3KgkIEF5PkoKHjaadRRBz9yzzb2 wKxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OcHoVEb0OH1tbuaiDPoIdXmoeMmFPEQNI9uMXzbslwM=; b=rt2AuxrLLHfu7r6JTM8fxiPAv7l5WC5c8Y3O21E4FhyOrsqbxv4gczXljJ/O0yD71n OyJq/DVnIvEaO7rAJiJ9UF+ErcLxOD/zH9mNygAnSP0rSHT9qN4xusTKAKJ1Fmk5jJSK sSRWnrUVOHECIuAOccjjE45V6TJ80yaRX3lOyb2nGgQ/B1wOGFAzWm9Dr025QiPWbWJO 5jHDOoA3g782uRv8isfJrZFrYDQJuG4NtwPK367o0vaJlVYy9/zk94e/Tl79JjlOPbL2 HiEjKJvO2w2cfoVySPsGvVe2rPa60X1EpTOZ2nmi74J8qNourtM1VFZgKhgrGdOAQNn7 HG7Q==
X-Gm-Message-State: APjAAAVbfgXDNbBlih/TUg5kl3sld2WjFq62NcXmxSY2DtZCJgJo5W+M c8xK5ef0fHyMezipobGRNmtQLqM7FE7DUKU56Aao06+iKeg=
X-Google-Smtp-Source: APXvYqyd5hzhq7/yx0AH9pltLdbPni2s9Fs+Xj9qp5Y3fHSY9kBEJh9ekO9CT7PlTtVYTBLBADEy2B1qxmx34pOpPL8=
X-Received: by 2002:a9d:72c8:: with SMTP id d8mr3268376otk.149.1556816330939; Thu, 02 May 2019 09:58:50 -0700 (PDT)
MIME-Version: 1.0
References: <28511b10-8f6a-4394-95a9-5188130f7b58@www.fastmail.com> <7f76d36c-962b-78fe-87ab-e17c31430cb3@garygapinski.com>
In-Reply-To: <7f76d36c-962b-78fe-87ab-e17c31430cb3@garygapinski.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Thu, 02 May 2019 12:58:13 -0400
Message-ID: <CAHbuEH73--eNBFh+xFQJj6V93ph6phb9YQFeY-Gjo3mdew=Siw@mail.gmail.com>
To: Gary Gapinski <gary=40garygapinski.com@dmarc.ietf.org>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000062e30d0587ea8cbf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/LVuL1VXIjUCHz4mp4VUzzgwVoLc>
Subject: Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1.1"
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 May 2019 16:58:54 -0000
Hi Gary, Thanks for your review and support. I'll respond inline and if Stephen disagrees, he will chime in :-) On Wed, Apr 24, 2019 at 9:51 AM Gary Gapinski <gary= 40garygapinski.com@dmarc.ietf.org> wrote: > On 4/12/19 7:28 PM, Christopher Wood wrote: > > This is the working group last call for the "Deprecating TLSv1.0 and TLSv1.1” draft available at: > > https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/ > > Please review the document and send your comments to the list by April 26, 2019. > > I think the document should be published. > > I agree with Martin Thomson's observation that the SP 800-52r2 quotes in > Section 2 are a bit prolix considering the relatively small content that > would remain if excised, and that NIST document has been in draft for a > prolonged time (reducing its authority). The quotes imply but do not demand > disuse of TLS 1.0 and TLS 1.1, and could inadvertently be interpreted to > mean that use of TLS 1.2 rather than TLS 1.3 is sinful. > I had interpreted Martin's comment's a little differently and cut out other text. Hmm, for the NIST quotes, I see this as providing the supporting reasons and their recommendations not being the same as the recommendations in this draft. I think by the updated text Marten suggested on "updates", this point is addressed, but please let us know if you feel otherwise. > An additional (congenial) informative reference could be BSI TR-02102-2 > found at > > > https://www.bsi.bund.de/EN/Publications/TechnicalGuidelines/tr02102/index_htm.html > > which in §3.2 states "TLS 1.0 and TLS 1.1 are *not recommended*". > Thank you for the reference, it's probably bets to have a couple of sources here. I included the following text with the pdf reference included in the working copy: The German Federal Office for Information Security, recommends against use of TLS versions less than 1.2 in the publication <xref target="TR-02102-2" >Cryptographic Mechanisms: Recommendations and Key Lengths</xref> Best regards, Kathleen > Regards, > > Gary > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- Best regards, Kathleen
- [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1.1" Christopher Wood
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Watson Ladd
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Martin Thomson
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… John Mattsson
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Maarten Aertsen (NCSC-NL)
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Stephen Farrell
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Gary Gapinski
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Kathleen Moriarty
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Daniel Migault
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Viktor Dukhovni
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Loganaden Velvindron
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Hubert Kario
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Töma Gavrichenkov
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Salz, Rich
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Viktor Dukhovni
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Roland Zink
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Martin Thomson
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Christopher Wood
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Viktor Dukhovni
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Martin Rex
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Töma Gavrichenkov
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Kathleen Moriarty
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Kathleen Moriarty
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Kathleen Moriarty
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Kathleen Moriarty
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Kathleen Moriarty
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Kathleen Moriarty
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Martin Thomson
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Hubert Kario
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Kathleen Moriarty
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Martin Rex
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Hubert Kario
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Peter Gutmann
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Benjamin Kaduk
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Peter Gutmann
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Viktor Dukhovni
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Eric Rescorla
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Kathleen Moriarty
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Kathleen Moriarty
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Peter Gutmann
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Kathleen Moriarty
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Martin Thomson
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Hubert Kario
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Hubert Kario
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Töma Gavrichenkov
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Benjamin Kaduk
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Kathleen Moriarty
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Kathleen Moriarty
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Viktor Dukhovni
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Viktor Dukhovni
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… David Benjamin
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Martin Rex
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Peter Gutmann
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Hubert Kario
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Martin Rex
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Peter Gutmann
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Martin Thomson
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Hubert Kario
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Martin Rex
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Peter Gutmann
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Hubert Kario
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Martin Rex
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… David Benjamin
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Kathleen Moriarty
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Hubert Kario
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Martin Rex
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Peter Gutmann
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Christopher Wood
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Martin Rex
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Peter Gutmann