IETF Logo Mail Archive

Re: [TLS] TLS@IETF101 Agenda Posted

Russ Housley <housley@vigilsec.com> Wed, 14 March 2018 18:53 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9F69124C27 for <tls@ietfa.amsl.com>; Wed, 14 Mar 2018 11:53:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[none] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HDOxU5GvzE6a for <tls@ietfa.amsl.com>; Wed, 14 Mar 2018 11:53:23 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D818A126DED for <tls@ietf.org>; Wed, 14 Mar 2018 11:53:23 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id B0C8F3005AB for <tls@ietf.org>; Wed, 14 Mar 2018 14:53:21 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id xnJtEhd22CLK for <tls@ietf.org>; Wed, 14 Mar 2018 14:53:20 -0400 (EDT)
Received: from [172.20.6.66] (unknown [5.148.123.140]) by mail.smeinc.net (Postfix) with ESMTPSA id 91C08300435; Wed, 14 Mar 2018 14:53:20 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <12691059.D1o9753ySB@pintsize.usersys.redhat.com>
Date: Wed, 14 Mar 2018 14:53:21 -0400
Cc: IETF TLS <tls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <4317390C-51CB-4969-8251-DBA18CBDE0BA@vigilsec.com>
References: <6140B7A6-A1C7-44BC-9C65-9BE0D5E1B580@sn3rd.com> <090F06AF-371D-4B11-91AA-BD80C1ADB4E9@fugue.com> <C1970611-C781-41A8-87CA-D00629AC41E7@vigilsec.com> <12691059.D1o9753ySB@pintsize.usersys.redhat.com>
To: Hubert Kario <hkario@redhat.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/O8THt2VShhJe3CZ0VbaKsHOPe3g>
Subject: Re: [TLS] TLS@IETF101 Agenda Posted
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Mar 2018 18:53:25 -0000

> On Mar 14, 2018, at 8:39 AM, Hubert Kario <hkario@redhat.com> wrote:
> 
> On Tuesday, 13 March 2018 23:16:47 CET Russ Housley wrote:
>> Ted:
>>> There's an easy way to do this, although as a sometime bank security geek
>>> I would strongly advise you to not do it: keep using TLS 1.2.
>> This is a bogus argument.  First, staying with an old protocol version often
>> leads to locking in unmaintained versions of old software.
> 
> this is simply not true, the newest versions of OpenSSL, NSS, GnuTLS and 
> schannel allow you to disable TLS 1.2 and TLS 1.1 protocol support to 
> effectively only support TLS 1.0!

After TLS 1.3 is approved, I have heard a desire from software maintainers to drop support for some of the older versions over time. Support for SSL 3.0 has been dropped in some cases, and for good reasons.

Russ

v2.23.0 | Report a Bug | By Email