Re: [TLS] TLS@IETF101 Agenda Posted

Russ Housley <housley@vigilsec.com> Wed, 14 March 2018 18:53 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9F69124C27 for <tls@ietfa.amsl.com>; Wed, 14 Mar 2018 11:53:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[none] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HDOxU5GvzE6a for <tls@ietfa.amsl.com>; Wed, 14 Mar 2018 11:53:23 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D818A126DED for <tls@ietf.org>; Wed, 14 Mar 2018 11:53:23 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id B0C8F3005AB for <tls@ietf.org>; Wed, 14 Mar 2018 14:53:21 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id xnJtEhd22CLK for <tls@ietf.org>; Wed, 14 Mar 2018 14:53:20 -0400 (EDT)
Received: from [172.20.6.66] (unknown [5.148.123.140]) by mail.smeinc.net (Postfix) with ESMTPSA id 91C08300435; Wed, 14 Mar 2018 14:53:20 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <12691059.D1o9753ySB@pintsize.usersys.redhat.com>
Date: Wed, 14 Mar 2018 14:53:21 -0400
Cc: IETF TLS <tls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <4317390C-51CB-4969-8251-DBA18CBDE0BA@vigilsec.com>
References: <6140B7A6-A1C7-44BC-9C65-9BE0D5E1B580@sn3rd.com> <090F06AF-371D-4B11-91AA-BD80C1ADB4E9@fugue.com> <C1970611-C781-41A8-87CA-D00629AC41E7@vigilsec.com> <12691059.D1o9753ySB@pintsize.usersys.redhat.com>
To: Hubert Kario <hkario@redhat.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/O8THt2VShhJe3CZ0VbaKsHOPe3g>
Subject: Re: [TLS] TLS@IETF101 Agenda Posted
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Mar 2018 18:53:25 -0000

> On Mar 14, 2018, at 8:39 AM, Hubert Kario <hkario@redhat.com>; wrote:
> 
> On Tuesday, 13 March 2018 23:16:47 CET Russ Housley wrote:
>> Ted:
>>> There's an easy way to do this, although as a sometime bank security geek
>>> I would strongly advise you to not do it: keep using TLS 1.2.
>> This is a bogus argument.  First, staying with an old protocol version often
>> leads to locking in unmaintained versions of old software.
> 
> this is simply not true, the newest versions of OpenSSL, NSS, GnuTLS and 
> schannel allow you to disable TLS 1.2 and TLS 1.1 protocol support to 
> effectively only support TLS 1.0!

After TLS 1.3 is approved, I have heard a desire from software maintainers to drop support for some of the older versions over time. Support for SSL 3.0 has been dropped in some cases, and for good reasons.

Russ