IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for draft-ietf-tls-sslv3-diediedie-00

Aaron Zauner <azet@azet.org> Tue, 27 January 2015 23:43 UTC

Return-Path: <azet@azet.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D7CD1A9165 for <tls@ietfa.amsl.com>; Tue, 27 Jan 2015 15:43:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MANGLED_BACK=2.3, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m9dqpbPYd0DH for <tls@ietfa.amsl.com>; Tue, 27 Jan 2015 15:43:35 -0800 (PST)
Received: from mail-we0-f172.google.com (mail-we0-f172.google.com [74.125.82.172]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96C131A88B3 for <tls@ietf.org>; Tue, 27 Jan 2015 15:43:29 -0800 (PST)
Received: by mail-we0-f172.google.com with SMTP id q59so17757183wes.3 for <tls@ietf.org>; Tue, 27 Jan 2015 15:43:28 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-type:content-disposition:in-reply-to :user-agent; bh=3M0Xw7VCwcZQzVupzAI29CRzA/jhAhe10qhuZy61yMg=; b=lf6Vjrs3n0WDtArE7FiIu0VSSaiENBVCs502vZTJ9o4d3z8z6isnroZdJlko/jkq4m CMHQHADJ/CZTdFYrX2Qn0gQfVIleqm13hPzE4pmYkPCpybHkOq4vPOTE/ETst9d1jjcl SGthrAnaKFxjxCXrGqYe2muJCbWHJlnV/QmyzB1Lnv0H+SKRD7a6ONamXe6QOG2sOwvY Q4Nf4oC12IMEI35U2NJXamBCsbt1mWXDFkOFbHvVIi0jXEF7v+CULj0keBdFazp7tifR q7bkx74gnM156XslUI7CFTWW5fiasKm5mV5Bp+4gMflbpeyX7w2PjGXqEZx1YaNcgP3l qROw==
X-Gm-Message-State: ALoCoQk2t5DAsFHip2YgqiaKsU9iQMDQ/RsxqHncqTY+Lh09oUGuYsW3ve0DwwMupE+YyV1A7+5q
X-Received: by 10.194.173.161 with SMTP id bl1mr1152647wjc.102.1422402208353; Tue, 27 Jan 2015 15:43:28 -0800 (PST)
Received: from typhoon.azet.org (chello080108032135.14.11.univie.teleweb.at. [80.108.32.135]) by mx.google.com with ESMTPSA id x6sm3765968wjf.24.2015.01.27.15.43.27 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 27 Jan 2015 15:43:27 -0800 (PST)
Date: Wed, 28 Jan 2015 00:43:15 +0100
From: Aaron Zauner <azet@azet.org>
To: Hanno Böck <hanno@hboeck.de>
Message-ID: <20150127234314.GA6124@typhoon.azet.org>
References: <CAOgPGoD806Mf=wa76ixU15nGDCK91tgG4r3Sb0Us2meX4Rqk5A@mail.gmail.com> <54C7F106.9070400@azet.org> <CABkgnnUdbLnG_7DJLuVeNrK0Q2rDhNm2kRKbwMDAE7bmCr=JqQ@mail.gmail.com> <201501271815.23083.davemgarrett@gmail.com> <20150128003356.41d2899b@pc>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="Nq2Wo0NMKNjxTN9z"
Content-Disposition: inline
In-Reply-To: <20150128003356.41d2899b@pc>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/P9AtAmlCVGVmCcfqUmIzFk7aVzk>
Cc: tls@ietf.org
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-sslv3-diediedie-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jan 2015 23:43:36 -0000

* Hanno Böck <hanno@hboeck.de> [28/01/2015 00:34:13] wrote:
> On Tue, 27 Jan 2015 18:15:22 -0500
> Dave Garrett <davemgarrett@gmail.com> wrote:
> 
> > Is it at all practical to publish an TLS RFC stating intent to
> > deprecate TLS 1.0/1.1 within some fixed timeframe? I think everyone
> > would rather phase it out then have to "be the hitman" each time.
> 
> I think if the deprecation of SSLv3 shows one thing it is that we need
> to start now if we want to deprecate it in several years.
> 

I cannot agree more.

> There are products on the market developed as late as 2011 that only
> support SSLv3. I think a crucial thing would be to identify and stop
> people from deploying TLS 1.0-only solutions today - so we won't have
> them tomorrow when we really need to deprecate TLS 1.0.
> 
> It's a topic I've been discussing with a number of people lately. Ideas
> welcome. I thought about adding something to webpages that will warn
> users if they connect with anything != TLS 1.2. That could at least
> make people aware if they surf with deprecated technology.

It's been pointed out earlier, but as not many people from TLS-WG
have been active at UTA I just want to reference those two documents
(currently WGLC and submitted for publication):

Recommendations for Secure Use of TLS and DTLS:
https://datatracker.ietf.org/doc/draft-ietf-uta-tls-bcp/

Summarizing Known Attacks on TLS and DTLS:
https://datatracker.ietf.org/doc/draft-ietf-uta-tls-attacks/

Aaron

v2.23.0 | Report a Bug | By Email