Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice

"STARK, BARBARA H" <bs7652@att.com> Wed, 02 December 2020 16:20 UTC

Return-Path: <bs7652@att.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0CF23A1391; Wed, 2 Dec 2020 08:20:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=att.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id moV6cq6ge44t; Wed, 2 Dec 2020 08:20:25 -0800 (PST)
Received: from mx0a-00191d01.pphosted.com (mx0a-00191d01.pphosted.com [67.231.149.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59E753A0E1C; Wed, 2 Dec 2020 08:20:25 -0800 (PST)
Received: from pps.filterd (m0049297.ppops.net [127.0.0.1]) by m0049297.ppops.net-00191d01. (8.16.0.43/8.16.0.43) with SMTP id 0B2G5J4I024214; Wed, 2 Dec 2020 11:20:19 -0500
Received: from alpi155.enaf.aldc.att.com (sbcsmtp7.sbc.com [144.160.229.24]) by m0049297.ppops.net-00191d01. with ESMTP id 355refs762-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 02 Dec 2020 11:20:18 -0500
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 0B2GKGmq000543; Wed, 2 Dec 2020 11:20:17 -0500
Received: from zlp27127.vci.att.com (zlp27127.vci.att.com [135.66.87.31]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 0B2GK8vr032664 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 2 Dec 2020 11:20:09 -0500
Received: from zlp27127.vci.att.com (zlp27127.vci.att.com [127.0.0.1]) by zlp27127.vci.att.com (Service) with ESMTP id A3111400B578; Wed, 2 Dec 2020 16:20:08 +0000 (GMT)
Received: from MISOUT7MSGED1BC.ITServices.sbc.com (unknown [135.66.184.196]) by zlp27127.vci.att.com (Service) with ESMTPS id 8765C400AF93; Wed, 2 Dec 2020 16:20:08 +0000 (GMT)
Received: from MISOUT7MSGED1AA.ITServices.sbc.com (135.66.184.195) by MISOUT7MSGED1BC.ITServices.sbc.com (135.66.184.196) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2044.4; Wed, 2 Dec 2020 11:20:07 -0500
Received: from MISOUT7MSGETA02.tmg.ad.att.com (144.160.12.220) by MISOUT7MSGED1AA.ITServices.sbc.com (135.66.184.195) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2044.4 via Frontend Transport; Wed, 2 Dec 2020 11:20:07 -0500
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (104.47.55.170) by edgeso2.exch.att.com (144.160.12.220) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2044.4; Wed, 2 Dec 2020 11:19:57 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=P5aRez6acG/Ap4OWSHP6Z74Yq9C66EHvl+XO7i7/asAetCNWPX+KulTK9YIivLImEEGfInNKXpb6o2YwrR4utj1372uQIb3EqvujN2tjIg3tSlT/95HjxRP1Te/7aUbY9dploDw8JKYtol4BHo9XnVBMGOiEkU/Ar4L9QVpkVzLHKWb8BvnXN4LrNWTJ/8UNLvXmV9qyxZEBZ+w07aLhozRZpTckpqZTMnypyyzvAR7BOMvA+d+a+61FlxK8gOq6QkaDsd+4KolOJUcfypOS4YCQRJUYEQ7Ht3BOAW8iLOvDHePXu6gJDf7RJl/q3hJCeQ6OTYC9zsP98SIyEZgqfw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=f0QQDJfTWp+5vVEwpSuVc5fCGkVS1SIeRjYe4l3Bd9I=; b=NTisLPbZ8FzlSCFnVkoxlwgvZACewNazLa0R/JwCxY7GmnHKHhU/QBaWXRBQgTSKYEfMNy7KV27dEYm3KwBsSDIdZF1a53w5EpmgiK3BG1xUq82mWyUW8Oj3K9oGgvksFtooGh+T97QSxc39D1+GE2srDh7FMb3cpt0vBBqtqtetXCB9YSCvZsSlfST9YC5lx+Gb+4IRCxYRmdu8RrX8d6VBRssQ6a+E2JD4S1hwMdATMJja1BDSOj24mM3ChYV6ObEvDq9K/Mrf3IN3sexxu9Y/z/mMvpq+24E1cp3Jtwf/jsZAr5gmLGXsD3ZewxSollppCS2OsovXkHxg8ifQIA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=att.com; dmarc=pass action=none header.from=att.com; dkim=pass header.d=att.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=att.onmicrosoft.com; s=selector2-att-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=f0QQDJfTWp+5vVEwpSuVc5fCGkVS1SIeRjYe4l3Bd9I=; b=fnKSG25oZ+SX+2ifrAICSwzupUTM1o7SQZpdaRxvqX/UQbiuX+9MxtZSvY8LGC37cq5n/fYFyXq+QUTvPd+px1xOmm/huo5c6pNB+lyNJ+kLviMyLYb/OrroR8+axAilax3RxDlMevtqWsduiFooU10dYNNBF9M+yaL3NLS+JNk=
Received: from SN6PR02MB4512.namprd02.prod.outlook.com (2603:10b6:805:a4::13) by SA2PR02MB7785.namprd02.prod.outlook.com (2603:10b6:806:14b::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.20; Wed, 2 Dec 2020 16:19:56 +0000
Received: from SN6PR02MB4512.namprd02.prod.outlook.com ([fe80::1813:2439:6aac:fc24]) by SN6PR02MB4512.namprd02.prod.outlook.com ([fe80::1813:2439:6aac:fc24%6]) with mapi id 15.20.3611.031; Wed, 2 Dec 2020 16:19:56 +0000
From: "STARK, BARBARA H" <bs7652@att.com>
To: "'Ackermann, Michael'" <MAckermann@bcbsm.com>, "'Eliot Lear'" <lear=40cisco.com@dmarc.ietf.org>, "'Peter Gutmann'" <pgut001@cs.auckland.ac.nz>
CC: "'draft-ietf-tls-oldversions-deprecate@ietf.org'" <draft-ietf-tls-oldversions-deprecate@ietf.org>, "'last-call@ietf.org'" <last-call@ietf.org>, "'tls@ietf.org'" <tls@ietf.org>, "'tls-chairs@ietf.org'" <tls-chairs@ietf.org>
Thread-Topic: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
Thread-Index: AQHWyLu/kYzXzvikeUizlhaI9MZmnqnj9JMA
Date: Wed, 2 Dec 2020 16:19:56 +0000
Message-ID: <SN6PR02MB4512B95842251AE4C04B199CC3F30@SN6PR02MB4512.namprd02.prod.outlook.com>
References: <160496076356.8063.5138064792555453422@ietfa.amsl.com> <49d045a3-db46-3250-9587-c4680ba386ed@network-heretics.com> <b5314e17-645a-22ea-3ce9-78f208630ae1@cs.tcd.ie> <1606782600388.62069@cs.auckland.ac.nz> <0b72b2aa-73b6-1916-87be-d83e9d0ebd09@cs.tcd.ie> <1606814941532.76373@cs.auckland.ac.nz> <36C74BF4-FF8A-4E79-B4C8-8A03BEE94FCE@cisco.com> <SN6PR02MB4512D55EC7F4EB00F5338631C3F40@SN6PR02MB4512.namprd02.prod.outlook.com> <1606905858825.10547@cs.auckland.ac.nz> <EEFAB41B-1307-4596-8A2E-11BF8C1A2330@cisco.com> <BYAPR14MB31763782200348F502A70DA4D7F30@BYAPR14MB3176.namprd14.prod.outlook.com>
In-Reply-To: <BYAPR14MB31763782200348F502A70DA4D7F30@BYAPR14MB3176.namprd14.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: bcbsm.com; dkim=none (message not signed) header.d=none;bcbsm.com; dmarc=none action=none header.from=att.com;
x-originating-ip: [45.18.123.63]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 57ac26f0-de0a-4eb1-2a89-08d896de1b8d
x-ms-traffictypediagnostic: SA2PR02MB7785:
x-microsoft-antispam-prvs: <SA2PR02MB778518B17ECB216723885B2FC3F30@SA2PR02MB7785.namprd02.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: e7TZZn0EiVYtR8u+WJzDOy0QHXLYwvbn7lmxpmed13EEkonXGT6Y7pKDuPykZ/PmcZRS1lWs2c7577qexlmxu03h/8eCrl32EI3eExd+6nmQ4w53FYZ2lz003l/rycUmAavulYhuO4gYxbFZLtd0FZK5TQLdlsuX5ZnzmgMYa4VxvhnkQLoPxX7FHotzL0647l5Wlwh/Lso8EsXFH6vTuh7dfAyUT8ajT/GKX7IXxRsBJruTTRNTuII/mumm/VaWpmYMqBjFfA4p+ij8pviwP3PUdadBPoSDIQsyfE+A4MCdDSNfVqt4pU2WhQuzOpgKRFZqbvDUZhTK0YP7QHKyn2e0JtvujVUm7v6SWMmMZhPAqX9MDxlfZfcbRmD5V+tJVGrXpuqmbc/pzxhQx1Z86yBYFMg1wOcuiVYXvlPERle+h8oalyW55qisgD6IH/vrLhn/M1k94FG0qCom+jFeaA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR02MB4512.namprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(346002)(396003)(39860400002)(366004)(136003)(8676002)(71200400001)(9686003)(296002)(55016002)(54906003)(53546011)(6506007)(966005)(66446008)(64756008)(316002)(66476007)(478600001)(66556008)(66946007)(76116006)(83080400002)(86362001)(33656002)(83380400001)(8936002)(5660300002)(110136005)(186003)(52536014)(26005)(4326008)(2906002)(82202003)(7696005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?M0pxdDNFSkZhN2xBS3MxRVAwSnJtYnVFcTFqU1M3bWxhUE5IVU5BWWhHOUE5?= =?utf-8?B?Q3JwdGVFc1hPRDBvKzR0bHVqVlhTK2FDZHI1VVpCU0J4QnZFb2NFdWVudlAy?= =?utf-8?B?cEpURENVUDBUUVNLaG04R3V4bWpDbWJvZS9Vem1pZHZOMFc5OUExNFBXV1Ra?= =?utf-8?B?dUdtdVF5VEQ4azlLeVRwWGRyUUsyZll3SGtQdmFnQXAwUi9DNjM3VmpSRGNr?= =?utf-8?B?Z1JQVTBtUk1lR0pUUlM2Z3hEZ25KSjBweUt6S1d4VUcrSUU3a1EyTDAwaVEr?= =?utf-8?B?UnovckNubU1kWHBDeHFuN3JKTU15ZjFxRHU4NXhiQWNkZW1Nam1KcUJyZ0hE?= =?utf-8?B?d0VKdlFGcEhPcEtRTXQxR0pGV3NnRzVMT0tMS0dYMFZUZEk3MU1YTG1EMm1D?= =?utf-8?B?S01vMGxIR1BOc1hwL040bXB1ZjZraTk4Y0g0QlVpSnJkcHpud0VoMElpVWNh?= =?utf-8?B?SjdpMmJLWjd5Zk4zOWZnQ3UvVWtydSsvZWZ4Y2JzS2hwRFpieU5QYnF0Zm1r?= =?utf-8?B?bHBTeFFNMW05bWZqalMyR0hja05nd29BaVNQSTVtaWhvWGJUbVBOQUticmp2?= =?utf-8?B?ZzNadTFlSVQ0ek9GeHRQWEFJQzNDWUx5dXpQSlJSUHZscjRVVml2M2Z4eHZW?= =?utf-8?B?L3JFWE0vWmIwMGR2TmVzS2diMytNMHVZZGJmU1VJVXBlUUlFbjhoQkZNZytL?= =?utf-8?B?dkJxZmRDbDNwOGFKb29IZms3YnNSZThWYlFnMEZGc3BOT0RrQUliRnNPWTQ0?= =?utf-8?B?VGxqclNkM1VuK0tYa3dIcE5HTDVwUG5YV2JYOC93VGRLRkswby9GZnp2dG0z?= =?utf-8?B?TkxhREpkKzR3cTh3OEw1azM5TFdOUEYxM1BUSTlxQlp3ekkrUFVwOTlyeTVs?= =?utf-8?B?WHhvMC9oZkxnZWxwczQ3ejJnZ3g5UWdzRzJYcG1PYWZqWWlRcHFxbVFQUkMy?= =?utf-8?B?VkQxTHMxOGtta2lkVjYya2NpeGo1Sm5TdzM2TVVXRjJNalNEMFN5dUxXemUr?= =?utf-8?B?RmxYMlpqRXNNUWJTbzl5M1U3Wk1YNDVLSUVvMDFQVlVjNldwd1plT1FUZFJp?= =?utf-8?B?RDJEZU1oT3NoTmVnVGZ6Yi90c0pWeWxORjJpUDhSbW94ZWFhYzhPcmVZTXBw?= =?utf-8?B?MnFXYWlCTUduUHhPUmhqQjlURERLZStoQmJxdVJBOUU0SkNCWU45aW1Ba0VX?= =?utf-8?B?ZlFpQmJIcVYrbEgwSzFqZmNGekdTbHVjQ3ZDY0EzRFhzYnduUXV5WUx5UlVS?= =?utf-8?B?S0xVQkNWamViUWdwbVExejlwNnlxUHBsVnlVYnhsdkVqWk1BSDFDa0tlUC9s?= =?utf-8?Q?oAylCi9IDRpoo=3D?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SN6PR02MB4512.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 57ac26f0-de0a-4eb1-2a89-08d896de1b8d
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Dec 2020 16:19:56.1298 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: e741d71c-c6b6-47b0-803c-0f3b32b07556
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 4MRQQ2tCZyiPExjAZtYyXI7MHqamhBuylXJCVO2EPS70RzS63CznvNAsEcXdlfOP
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA2PR02MB7785
X-OriginatorOrg: att.com
X-TM-SNTS-SMTP: 19203D7A32D09F5648C7BDE59665DF7A7D36786F9B852B7D2C7A514ECE891E972
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312, 18.0.737 definitions=2020-12-02_08:2020-11-30, 2020-12-02 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 clxscore=1015 priorityscore=1501 suspectscore=0 mlxlogscore=999 bulkscore=0 lowpriorityscore=0 spamscore=0 impostorscore=0 adultscore=0 mlxscore=0 phishscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2012020096
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/R2BdmsvnVlW4igoR25gtu2r0f4E>
Subject: Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2020 16:20:29 -0000

Hi Mike,

> As an Enterprise person I can say we are not well equipped to be aware of
> nor react "Nimbly" to changes such as this.  Wide scope and security related
> changes can require major changes to core Business systems.  This can mean
> significant time, effort and/or $$$.

I have to disagree with you. In my experience, enterprises have shown themselves
to be extremely well-equipped and capable of ignoring (and even being
blissfully unaware of) IETF RFCs wrt their
internal networks when they so choose. For example, IPv6 deployment. 😊
But the fact that the US government (and other governments)
have already deprecated use of these technologies inside govt
networks is probably something enterprises who do business with governments
can't ignore (unlike IETF RFCs). 

> The biggest barrier is that this topic is not currently on the Planning or Budget
> radar at all, and usually takes 1-2 years (or more) to achieve either.

I see no barrier to enterprises ignoring IETF RFCs wrt their internal networks.
But I'm surprised that US enterprises who contract with the US federal govt
wouldn't have put this on their radar long ago, since
the NIST first draft proposing deprecating these appeared 3 years ago, and the NIST
SP 800-52 Rev. 2 final version (officially deprecating them) was published over a year ago.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf
See Section 3 for minimum requirements for TLS servers and
Appendix F for a specific discussion of TLS 1.0 and 1.1 client support.
 
> On one side of such issues, I don't think IETF understands the above and on
> the other side Enterprises are unaware of developments at IETF and other
> SDO's.    Bridging that important gap is not unique to this topic.

This IETF BCP will be very easy for enterprises to ignore wrt their internal networks.
There is no need for enterprises to be aware of this BCP. But it may behoove
some enterprises to be aware of documents their govts have published.
Barbara

> -----Original Message-----
> From: TLS <tls-bounces@ietf.org> On Behalf Of Eliot Lear
> Sent: Wednesday, December 2, 2020 5:54 AM
> To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
> Cc: draft-ietf-tls-oldversions-deprecate@ietf.org; last-call@ietf.org; STARK,
> BARBARA H <bs7652@att.com>om>; tls@ietf.org; tls-chairs@ietf.org
> Subject: Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-
> 09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
> 
> [External email]
> 
> 
> > On 2 Dec 2020, at 11:44, Peter Gutmann <pgut001@cs.auckland.ac.nz>
> wrote:
> >
> >
> > It's actually the complete opposite, they will have every difficulty
> > in doing so.  You've got systems engineers whose job it is to keep
> > things running at all costs, or where the effort to replace/upgrade is
> > almost insurmountable, who now have to deal with pronouncements from
> > standards groups that insist they not keep things running.  I don't
> > know where you get this idea that this will cause "no difficulty"
> > from, it's a source of endless difficulty and frustration due to the
> > clash between "we can't replace or upgrade these systems at the
> > moment" and "there's some document that's just popped up that says we
> need to take them out of production and replace them”.
> 
> 
> That is as it should be.  Let everyone understand the risks and make
> informed decisions.  This draft does an excellent job at laying out the
> vulnerabilities in TLS 1.0 and 1.1.  What it cannot do is adjudicate risk in every
> situation.  If someone has done so and decided that the risk is acceptable,
> very well.  They went in eyes wide open, and Stephen and friends helped.
> 
> Eliot
> 
> 
> 
> 
> 
> 
> The information contained in this communication is highly confidential and is
> intended solely for the use of the individual(s) to whom this communication
> is directed. If you are not the intended recipient, you are hereby notified
> that any viewing, copying, disclosure or distribution of this information is
> prohibited. Please notify the sender, by electronic mail or telephone, of any
> unintended receipt and delete the original message without making any
> copies.
> 
>  Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are
> nonprofit corporations and independent licensees of the Blue Cross and Blue
> Shield Association.