Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)

Yoav Nir <ynir.ietf@gmail.com> Thu, 21 May 2015 21:50 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04D921A90CE for <tls@ietfa.amsl.com>; Thu, 21 May 2015 14:50:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I11s_DpNW_X2 for <tls@ietfa.amsl.com>; Thu, 21 May 2015 14:50:31 -0700 (PDT)
Received: from mail-wi0-x243.google.com (mail-wi0-x243.google.com [IPv6:2a00:1450:400c:c05::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 647BC1A908C for <tls@ietf.org>; Thu, 21 May 2015 14:50:31 -0700 (PDT)
Received: by wibbw19 with SMTP id bw19so3075764wib.2 for <tls@ietf.org>; Thu, 21 May 2015 14:50:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=tr9vIJ1sMFTPDO+C/322yrlT/MliulFl9y4gmii6meI=; b=0TDw5qnCTVTnKpAatua2gvPl5FrVdGjPDwleixaCHjc2fP2lzC01nY6mzHqDZpEQRz K9kREwlFlIiEUg57IRpoTKqENVoZ+qrKIwx84/bmEBatrzo/TXAw61783X6VvvX65Fag 1s12x5LBzEdg8GK+1a4BidFlzXb1nFKSxlIl1O5HKgHHd6RT6EVjOZFdXej7HVeLBe9O iMu3ViFYsIMF0TNZYCaYcyZ69Ce1qwnX4wQ+i9nB3Q4HWURViaT3AtGEn6fs7Z1wfRYE qhiejQtqjpVTIj4po7OO0yPSjKiF7DXuGUAiLmimVd3lTtl9kzn0kxzEPIif3BNLLhzE M8Sg==
X-Received: by 10.194.57.11 with SMTP id e11mr8561724wjq.19.1432245030213; Thu, 21 May 2015 14:50:30 -0700 (PDT)
Received: from [192.168.1.17] ([46.120.13.132]) by mx.google.com with ESMTPSA id ex2sm166006wjd.28.2015.05.21.14.50.28 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 21 May 2015 14:50:29 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <BLU177-W43B228C6C40A3EFFF6D0AC3C10@phx.gbl>
Date: Fri, 22 May 2015 00:50:26 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <08521CEE-F00B-40B5-9A91-D290ED56EE67@gmail.com>
References: <201505211210.43060.davemgarrett@gmail.com> <CADGaDpEjG8RfKzwnKjtYun_TTo9ipctQwx9DsDOWfSkory65rg@mail.gmail.com> <BLU177-W43B228C6C40A3EFFF6D0AC3C10@phx.gbl>
To: Yuhong Bao <yuhongbao_386@hotmail.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/M9Z2V1_lNGv79srY0v1W2TQEk-U>
Cc: "maray@microsoft.com" <maray@microsoft.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 21:50:33 -0000

> On May 22, 2015, at 12:30 AM, Yuhong Bao <yuhongbao_386@hotmail.com>; wrote:
>> 

<snip />

> Andrei Popov: I think it would be trivial to release an update for IE8-10 for Win7 to enable TLS 1.1 and 1.2 by default, right? 

Trivial or not, whether Microsoft does this is not our decision. Probably not even Andrei’s decision. And these are not the 90s. People keep using computers for 5, even seven years. 

According to netmarketshare.com Windows XP is still 16% of desktops/laptops (as measured by web traffic). Add some older mac OS X versions and you reach 17%. Even mobile has some older versions. What this is proposing is to require servers to cut all of those off as a pre-requisite to supporting TLS 1.3.

Yoav