Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)
Martin Thomson <martin.thomson@gmail.com> Thu, 21 May 2015 23:29 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 530F01A90AD for <tls@ietfa.amsl.com>; Thu, 21 May 2015 16:29:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.101
X-Spam-Level:
X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 061ExjCdAOBC for <tls@ietfa.amsl.com>; Thu, 21 May 2015 16:29:16 -0700 (PDT)
Received: from mail-yk0-x235.google.com (mail-yk0-x235.google.com [IPv6:2607:f8b0:4002:c07::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E5AE1A88F0 for <tls@ietf.org>; Thu, 21 May 2015 16:29:16 -0700 (PDT)
Received: by ykfr66 with SMTP id r66so857831ykf.0 for <tls@ietf.org>; Thu, 21 May 2015 16:29:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=FJL5gPG4vf34L3J3t72TSzPH0N081Mo8Nnr8BVtRsQ4=; b=MMQeV1Pr/YfCsRXQli4kgKJ26OV6OHVi4pM9MOuT1FGSvVLWqaoluC83Nw2WNgnjDA EVnotKfpIM1BHR104klam7CUNY3rWpBCXM5uZfwa3FroTS+IhhOpc+xwWce9Nlq3bkZS DOmCRWu2CLJFLAMYBa3GMdz6anCnHKkZKJC67GyxANXhHMTfzARMAEdLWF+qiCsBA+bw 2NM7HrPZv4svkIaXoQXRBNjJ3gPWF56JlciSGMCjO4dsclI6nKBEG544mqYPZGgq47u3 unThC/U0DfwDyHB3TEF58pa5s7RqpBuw96sok8E3mSroBltmrL8rFJx+xNNGs5SCfxe4 ZnzQ==
MIME-Version: 1.0
X-Received: by 10.236.13.16 with SMTP id a16mr5222676yha.93.1432250955489; Thu, 21 May 2015 16:29:15 -0700 (PDT)
Received: by 10.13.247.71 with HTTP; Thu, 21 May 2015 16:29:15 -0700 (PDT)
In-Reply-To: <201505211210.43060.davemgarrett@gmail.com>
References: <201505211210.43060.davemgarrett@gmail.com>
Date: Thu, 21 May 2015 16:29:15 -0700
Message-ID: <CABkgnnW-3ccJqM634dtjgqLGbc11Z2LgFFxpC2EjF-8dKk4o2A@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Dave Garrett <davemgarrett@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/QcALW-6yE-B71JF8sHqvGvFY3z8>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 23:29:17 -0000
On 21 May 2015 at 09:10, Dave Garrett <davemgarrett@gmail.com> wrote: > > 2) For TLS 1.3, add a blurb to the effect of: > "Server TLS implementations supporting TLS 1.3 or later MUST NOT negotiate TLS 1.0 or TLS 1.1 for any reason. > Client TLS implementations are RECOMMENDED to not support old TLS versions, where possible." I don't think that this is the right way to do this. I'm happy to be the one wielding the stick when the time is right, but I probably won't come here to do it. Implementations and operators of those implementations will make that determination on their own, based on their own needs. For example, we support crappy crypto on the Firefox download site - including SSL3 - on the basis that it makes more sense to allow clients who only support SSL3 to download our software. That way, they might get an approximation of good crypto rather than being left with the rubbish they have. We have a very different policy for our accounts servers, of course.
- [TLS] prohibit <1.2 support on 1.3+ servers (but … Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Loganaden Velvindron
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Thijs van Dijk
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Jeffrey Walton
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Kurt Roeckx
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yuhong Bao
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Watson Ladd
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Rex
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Thomson
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Aaron Zauner
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Tony Arcieri
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Thomson
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Aaron Zauner
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Thomson
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Tony Arcieri
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Xiaoyin Liu
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Rex
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Hubert Kario
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Peter Gutmann
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Xiaoyin Liu
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Salz, Rich
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Salz, Rich
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Ronald del Rosario
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Dave Garrett
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Geoffrey Keating
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Tony Arcieri
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Jeffrey Walton
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Bill Frantz
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Peter Gutmann
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Geoff Keating
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Jeffrey Walton
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Florian Weimer
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Yuhong Bao
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Martin Thomson
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Salz, Rich