Re: [TLS] Fwd: New Version Notification for draft-moriarty-tls-oldversions-diediedie-00.txt

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Wed, 11 July 2018 16:44 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A099130DF4 for <tls@ietfa.amsl.com>; Wed, 11 Jul 2018 09:44:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lWii-XAlmhMF for <tls@ietfa.amsl.com>; Wed, 11 Jul 2018 09:44:38 -0700 (PDT)
Received: from mail-qk0-x22a.google.com (mail-qk0-x22a.google.com [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A1CF12F295 for <tls@ietf.org>; Wed, 11 Jul 2018 09:44:38 -0700 (PDT)
Received: by mail-qk0-x22a.google.com with SMTP id b66-v6so13986449qkj.1 for <tls@ietf.org>; Wed, 11 Jul 2018 09:44:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=wcu8ezScfZAvJsLbnP344u30vIfH50OXVPdeX4MaMPs=; b=qy9kXS8SH72TnhDPrv+nVkOF1KDQZTdIo7vx0/VdykSV7edM50ht4Z0WX0eRV8yOty 4JTHjNKzYzzn+/e+AS5tea/nhViIvZgh5OCSvlWxVfv2yC1pz62IXxJOt8niREgGCAP4 MOwrqtF0m7TB/2KnAfLstzWPA/9ZphvaUNMHssln6gesZd4IXx09lOtythP7GosXzWcu wy33BAbMocg9xFEHrqareJA0+Hgis715LMh1zlSUUNOI5KvH397CUud7BDdrTRwe8ZzY NVFgUL3jIaKApVt0X1rx6fL785w0iS7IbpcpAsNO9wo2nTHWisRl9DXrojYnrw569Ptt 6Hmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=wcu8ezScfZAvJsLbnP344u30vIfH50OXVPdeX4MaMPs=; b=DGVxs+Iy+4WjWW2TPOy1Xl0IAdney5Z9u6Tz2PQPY5Lcz+k664AEUAD/UVXOvME94C E9HJQYzSWLVDeKQFVq6Ew0t8QpsQgWiAvILNLAJZUD9DL39b1uSR/5m9fAbd8SZ2hfkO MXWqpj+2XSBAxALtFLK8EVDqppyqaP/YGkSon/McVztKfHvF3dGaxcbHLD7BUwQFxLUk bMLEf+QKgPBX9aqkAFTl/1HZ1vSvh09SXGQjk4h15AIG35MRJOMBuK7/AF5BBjtsRAIW Xs1EjoC8dsInc7z0GB83hCWx646PelqL6eoajk1hoP1R15JYQWq4/aWq0bvhlojJ2Khr z5Lg==
X-Gm-Message-State: APt69E22beFfRwx9n86Omd4bBDLSWt09/RAgq87eRvZAlk6ZeNUxYqrW ilR6G7Vr9SlYPVOvO85BvWc=
X-Google-Smtp-Source: AAOMgpeyK1Tzugs30xUKR7AQ97KKWBT59Fx0C0Q2ok87R+e4CCcYIXQr+TstDEgvlQpXSYwkEQVxjQ==
X-Received: by 2002:a37:6454:: with SMTP id y81-v6mr27195604qkb.56.1531327477752; Wed, 11 Jul 2018 09:44:37 -0700 (PDT)
Received: from [192.168.1.210] (209-6-121-113.s2671.c3-0.arl-cbr1.sbo-arl.ma.cable.rcncustomer.com. [209.6.121.113]) by smtp.gmail.com with ESMTPSA id e206-v6sm2307944qkb.4.2018.07.11.09.44.36 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 11 Jul 2018 09:44:37 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (1.0)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Mailer: iPhone Mail (15E216)
In-Reply-To: <e669c670-fa21-4df2-4098-4e0eb218f4b5@cs.tcd.ie>
Date: Wed, 11 Jul 2018 12:44:35 -0400
Cc: nalini elkins <nalini.elkins@e-dco.com>, "<tls@ietf.org>" <tls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <FA070FD9-CB6F-4762-A834-2504474D2D57@gmail.com>
References: <152934875755.3094.4484881874912460528.idtracker@ietfa.amsl.com> <CAHbuEH5J-F2cKag02Vx416jsy1N6XZOju28H99WAt71Pc5optg@mail.gmail.com> <CABcZeBN4RPt_=zu-PTPeaYbQ4KxC8DAf=a7359pZDjYavpxecw@mail.gmail.com> <CABcZeBMzweULuOfxe_Dp7n6M7Lt77_1Qq92=KzfmuBeShUSCDQ@mail.gmail.com> <CY4PR21MB0774BE80A4424D41D0C8C4138C440@CY4PR21MB0774.namprd21.prod.outlook.com> <CAPsNn2U-WqPM-Tqun4NQkhy+ctpkdjkXj_dFurChKDB3f=WqRA@mail.gmail.com> <2ad88b61-aa3c-88d4-dfef-bcd78eeeeeca@cs.tcd.ie> <CAPsNn2UyQMEnS7y-Vgpt7j7c_z38OyhPgguvD7m54yVT013u6g@mail.gmail.com> <e669c670-fa21-4df2-4098-4e0eb218f4b5@cs.tcd.ie>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/PKvIPrrP3Vi4wYWkqFKXxRYQsA4>
Subject: Re: [TLS] Fwd: New Version Notification for draft-moriarty-tls-oldversions-diediedie-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jul 2018 16:44:42 -0000

Hi Nalini,

I think it would be more useful to collect show stopper information.  Do they have systems or applications that cannot be upgraded as there is no upgrade path?  Do these systems or applications matter in terms of deprecation?  It may not matter if they are isolated or there is no external requirement around encryption.

I did hear from someone off-list that I think will submit a PR on the systems he can’t upgrade, but he also said they don’t matter and are not a show stopper.

Thank you,
Kathleen 

Sent from my mobile device

> On Jul 11, 2018, at 5:50 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> 
> 
> Hiya,
> 
>> On 11/07/18 06:45, nalini elkins wrote:
>> Stephen,
>> 
>>> I'd love to add more detail like that and/or more sections for other
>> protocols if folks have data to offer with references.
>> 
>> I believe that I can reach out to various people I know.   Please comment
>> if my methodology is acceptable and if you think this will be helpful.
> 
> It's not whether the methodology is acceptable to me or not
> but whether or not the references to the numbers are credible
> for readers:-)
> 
> A few comment below,
> 
>> 
>> I am thinking the following:
>> 
>> Location: U.S. / Canada (possibly U.K.)
>> 
>> -  3 banks (hopefully from the top 5)
>> -  3 large insurance companies  (includes back end processing)
>> -  3 U.S. federal government agencies
>> -  3 companies in the Wall Street / Stock brokerage sector (includes back
>> end processing)
>> -  3 large credit card / processors (ex. Visa, Discover, MasterCard, etc.)
>> -  3 in the retail sector (Home Depot, Target, Lowes, et al)
> 
> Those are pretty small numbers unless they're interacting with
> a lot of TLS services. It'd be hard to know if they'd be
> representative of something or not if they're anonymised in the
> results. I'd encourage you to try get people to be open about
> things here - there's no particular shame in having 10% TLSv1.0
> sessions after all:-)
> 
>> 
>> Note: I put in "back end processing" because these are the folks that most
>> often have many connections to other business partners and so in some ways
>> have the most complex systems to deal with.
>> 
>> Note #2:  This is aspirational!  I hope I can get all these people to
>> cooperate.  I will try at least to get some in each category.
>> 
>> 
>> I will ask them the following questions:
>> 
>> 1.  How many applications do you have?  (This may end up being only the
>> mission critical ones as otherwise it may be too hard to obtain.)
> 
> I'm not sure that's so interesting for this question. And I'm not
> sure that different people would count things as applications in
> the same way.
> 
>> 2.   How many are using TLS and how many are still plain text?  (We will
>> disregard SSH and other such variants.)
> 
> Again, that's not so interesting here.
> 
>> 3.   What percent of clients are using a pre-TLS1.2 version?  (This will be
>> an estimation.
> I don't see why this needs to be estimated, this is kinda the key
> measurement needed and easy to measure. There should be no need for
> anyone to stick their thumb in the air for this:-)
> 
> It'd be good to distinguish TLSv1.0 from TLSv1.1 (and SSLv3 and
> TLSv1.3) and to say for how many TLS sessions or hosts/IPs the
> figures apply.
> 
> And of course providing as much context as possible so that it's
> possible to understand the numbers and whether or not the numbers
> from different sources are based on the same or different kinds of
> measurement.
> 
>> 
>> 4.   Do you have an active project to migrate off of older versions of TLS?
> 
> Sure.
> 
>> 
>> 5.   What do you estimate your percent of clients using pre-TLS1.2 versions
>> to be next year?
> 
> I don't see how this'd be so useful. Aaking about the historic and
> current rates of change of use of the various protocol versions would
> be good though if people have that, but they may not.
> 
> S.
> 
>> 
>> 
>> Please let me know if this will be of use & if you have suggestions for
>> improvement.
>> 
>> Thanks,
>> Nalini
>> 
>> 
>> 
>> 
>> On Tue, Jul 10, 2018 at 1:51 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie>
>> wrote:
>> 
>>> 
>>> Hi Nalini,
>>> 
>>>> On 10/07/18 04:50, nalini elkins wrote:
>>>> It would be nice to see some of this reflected in the draft rather than
>>>> only statistics on browsers.   The real usage of these protocols is far
>>>> more complex.
>>> 
>>> I didn't have time before the I-D cutoff but have since
>>> added a section on mail to the repo pre-01 version. (See
>>> [1] section 3.2.) I'd love to add more detail like that
>>> and/or more sections for other protocols if folks have
>>> data to offer with references.
>>> 
>>> Consistent with other folks' numbers sent to the list
>>> yesterday, (though based on a much smaller sat of data I
>>> guess;-) my data shows 10.6% use of TLSv1.0 when talking
>>> SMTP/IMAP/POP (or HTTP) over TLS to a population of ~200K
>>> IP addresses that listen on port 25 (mail servers).
>>> 
>>> What I don't currently have is a rate of change for that
>>> figure. I think that rate of change is the important number
>>> for figuring out what to do in the next while. E.g. The
>>> WG might conclude that if the percentage of TLSv1.0 is
>>> moving down nicely, we should be a bit patient. If it's
>>> not moving at all, we can probably move now or in 5 years
>>> without that being different. If we're not sure, then get
>>> more data...
>>> 
>>> Cheers,
>>> S.
>>> 
>>> [1]
>>> https://github.com/sftcd/tls-oldversions-diediedie/blob/mast
>>> er/draft-moriarty-tls-oldversions-diediedie.txt
>>> 
>> 
>> 
>> 
> <0x5AB2FAF17B172BEA.asc>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls