Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice

Keith Moore <> Tue, 01 December 2020 12:57 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BC1163A09E9; Tue, 1 Dec 2020 04:57:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id RDlryFqFZrJd; Tue, 1 Dec 2020 04:57:50 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 489A23A09E0; Tue, 1 Dec 2020 04:57:50 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal []) by mailout.west.internal (Postfix) with ESMTP id 4AB3F52E; Tue, 1 Dec 2020 07:57:49 -0500 (EST)
Received: from mailfrontend1 ([]) by compute3.internal (MEProxy); Tue, 01 Dec 2020 07:57:49 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=hRohoSin6ELxroa/wiWls8NtcIg3fWB/ITbXu4o1d aY=; b=jfUN+1FYtcRdi4lqkIe+W10wvP+L3b5aUsQ/EmKWXoJ+hOmwLJarpZuiG VTvwjB48n6H5RufVeIO3kL60GIbtemZPmxImRXFSMLVZByMvSsF7BFyNFZYWs/GN RJRSKz0cF1kxOxiClVkSdDFWITwHVuJr6YCbZ/GDPqozoR9rfxAGi1Af9RsSttrf s6Ei1ncAKNj7z6N45eH1TYbEnwRiRCD8fvIDibPpnU0ASh/08YXydcbaC5D7L9xh U6nmrgCqU8no3beTAs5F9qjYXJJEPgQ4j7GfyTV+2/K/TQcOETUpa2VymuXeWigj AQjY27QotUAWzeU5Xy3Us0+T46dsQ==
X-ME-Sender: <xms:yz3GX_3HYRZYyK_-uoi_iBSgp1wdzwc1ldKdcM3bie6gH7qp7rfdtA> <xme:yz3GX-GQgWwkVoqwG0EowyudCXZXygixajLp26Kbh9L3PdMCLHUxGlLGJbw7tZkj1 9KA8vvOn9uAvw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrudeivddggeekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepuffvfhfhkffffgggjggtgfesthekredttdefheenucfhrhhomhepmfgvihht hhcuofhoohhrvgcuoehmohhorhgvsehnvghtfihorhhkqdhhvghrvghtihgtshdrtghomh eqnecuggftrfgrthhtvghrnhepheduhfeludegueetveevhfeujeejfefffeettedtvdel fefgkeeikeehjeffvdffnecukfhppedutdekrddvvddurddukedtrdduheenucevlhhush htvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmohhorhgvsehnvght fihorhhkqdhhvghrvghtihgtshdrtghomh
X-ME-Proxy: <xmx:yz3GX_4tIUBvKzN48NU2m6NVNwli7kW3zGvRfCfukm8fJ6P1FxiePw> <xmx:yz3GX001fgwnkMCvgp6GMkVQ4QhzbOvrEXHvyQf_mWsMOzjMwf6qTg> <xmx:yz3GXyGk39r5B5mGGmJ1OYNH5mTylIwyZRYFagyVnB5xjJ_ne_XwyA> <xmx:zD3GX3S0VBKduQcOK0QdcRF5D6Nb4WH6aHW3U-FB8sV74_ihUN-q9Q>
Received: from [] ( []) by (Postfix) with ESMTPA id CBEC7328005D; Tue, 1 Dec 2020 07:57:46 -0500 (EST)
To: Peter Gutmann <>, Stephen Farrell <>, "" <>
Cc: "" <>, "" <>, "" <>
References: <> <> <> <> <> <>
From: Keith Moore <>
Message-ID: <>
Date: Tue, 1 Dec 2020 07:57:46 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <>
Subject: Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 01 Dec 2020 12:57:52 -0000

On 12/1/20 4:29 AM, Peter Gutmann wrote:

> I think all it needs is something along the lines of "This BCP applies to TLS
> as used on the public Internet [Not part of the text but meaning the area that
> the IETF creates standards for].

Not specifically relevant to this draft, but:  Is it actually defined 
anywhere that IETF standards only apply to the public Internet?  IMO 
IETF needs to realize that implementations of its standards are used 
outside of the public Internet and consider that when writing its 
documents.  (even though different rules may be appropriate on private 
and mostly-isolated networks)


p.s. I keep thinking that this "MUST NOT TLS < 1.2" recommendation is 
like a public health recommendation, one that is worded over-simply to 
try to make it have maximum useful effect but perhaps to the point of 
being misleading or even harmful. e.g. "You MUST wear masks to reduce 
the spread of COVID-19", but not saying "oh yeah, if you're outdoors and 
not around other people you're probably fine without a mask" and "masks 
are pointless if you only wear them over your mouths or chins", and "the 
masks that have valves in them to allow exhaled breath to exit unimpeded 
are also useless for this purpose" and "you need to wear them when 
indoors and around co-workers, not merely when customers or visitors are 
present".  At least where I live I see so many people using masks in 
ineffective ways that I don't think the simple recommendation is 
working, though I'm not sure that a more detailed recommendation would 
work better.