Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice

Kathleen Moriarty <> Sun, 06 December 2020 13:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 13D113A0D4C; Sun, 6 Dec 2020 05:01:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YjkC8sztgvn3; Sun, 6 Dec 2020 05:01:29 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::834]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CD94C3A0D4B; Sun, 6 Dec 2020 05:01:28 -0800 (PST)
Received: by with SMTP id 7so7506052qtp.1; Sun, 06 Dec 2020 05:01:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=U+fqEQFqurqa7HC0sZhWI7/sXeTAdAab/eq7WH6K/6k=; b=EeY+2utUJFE1qQkakWNlVBsESIMOaSiqjpVhanfE1r+7Vg/huEHT+T4MvA/SmMFrgx aSWtVe8kFHNHQKAUdZskHI4QgnVWen4uQuqTPsaYtj9NVDcTOFyUP4kKnbkMM2U7Jt39 ER7jMgBi2GkbT8gsRP53pFXtaiRJnJ0rGZOnH/xPhvp1lZAOheiWWXR0sbtG83QsJPey 0loXiMRwzuTye+hqz0nj9V6uy4hN1IjDftsLSddhrh8eZlMz4/mEbqMpUT1NSUxCPJSR OO3x7ln3f/hOuag+6IR/KtnSk39/t2BFZKNcbg8UrkTAsln1TykwZsc5IG5IP4vEhRM4 tI+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=U+fqEQFqurqa7HC0sZhWI7/sXeTAdAab/eq7WH6K/6k=; b=mnMH+7bj9IwSyuP1p1kAO/OSNJwdGX0t37bXE9E8TmR8LA4f7rhbhsXjYNfrz0Xi4e uR/DnouJ4CBzSA0pJYlN2qstL/yaddDKJdiXuu/Z9Ux00acpjAeZ/ANeEQYm9yLqYC+C mIYbrYF5fSX+xdThZgFWmK9w+Gkb31xa64wf8UsG9pV2fuAZF9dzI5CU2SmLO7kQ4AAN 0o5C8zV70lRpx0AJSivZffloOkfTctLsTXubBHDOurmIzSqH5UP7PRON3fPSIJO8sioN ThRvDcmKL0qG6KSE+K6a5e2zMrVivaSgBRrvwM0RduDThucWQZy3SN74yKOZvDMo8S+z tEVQ==
X-Gm-Message-State: AOAM530SZQK0smDSE8Ykm+62PBgAK8AZhKaDU/MdDft/BLxKVXh7Ivn/ iP1NU6JAioObOUYaWFLH5h34q9fG8MOYLw==
X-Google-Smtp-Source: ABdhPJzsjT4JHZTNMrv7Ckq0p3B44TsxdVzP+vwufU5eYRv470xvBJkLxGW1sJUQLRQOJyo3+cS2QA==
X-Received: by 2002:ac8:1486:: with SMTP id l6mr18352168qtj.123.1607259687573; Sun, 06 Dec 2020 05:01:27 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id v28sm9754049qkj.103.2020. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 06 Dec 2020 05:01:27 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
From: Kathleen Moriarty <>
Mime-Version: 1.0 (1.0)
Date: Sun, 6 Dec 2020 08:01:26 -0500
Message-Id: <>
References: <>
Cc: Peter Gutmann <>, Stephen Farrell <>,,,,
In-Reply-To: <>
To: Keith Moore <>
X-Mailer: iPhone Mail (18B92)
Archived-At: <>
Subject: Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 06 Dec 2020 13:01:31 -0000

I disagree here as those other implementations just need to make their own business risk decisions and put in place an exception process.  One option in the risk decision process is to accept risk, you can also mitigate, eliminate, or transfer the risk.

Best regards,

Sent from my mobile device

> On Dec 1, 2020, at 7:57 AM, Keith Moore <> wrote:
> On 12/1/20 4:29 AM, Peter Gutmann wrote:
>> I think all it needs is something along the lines of "This BCP applies to TLS
>> as used on the public Internet [Not part of the text but meaning the area that
>> the IETF creates standards for].
> Not specifically relevant to this draft, but:  Is it actually defined anywhere that IETF standards only apply to the public Internet?  IMO IETF needs to realize that implementations of its standards are used outside of the public Internet and consider that when writing its documents.  (even though different rules may be appropriate on private and mostly-isolated networks)
> Keith
> p.s. I keep thinking that this "MUST NOT TLS < 1.2" recommendation is like a public health recommendation, one that is worded over-simply to try to make it have maximum useful effect but perhaps to the point of being misleading or even harmful. e.g. "You MUST wear masks to reduce the spread of COVID-19", but not saying "oh yeah, if you're outdoors and not around other people you're probably fine without a mask" and "masks are pointless if you only wear them over your mouths or chins", and "the masks that have valves in them to allow exhaled breath to exit unimpeded are also useless for this purpose" and "you need to wear them when indoors and around co-workers, not merely when customers or visitors are present".  At least where I live I see so many people using masks in ineffective ways that I don't think the simple recommendation is working, though I'm not sure that a more detailed recommendation would work better.