Re: [TLS] Industry Concerns about TLS 1.3

Tony Arcieri <bascule@gmail.com> Mon, 03 October 2016 22:52 UTC

Return-Path: <bascule@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B844129413 for <tls@ietfa.amsl.com>; Mon, 3 Oct 2016 15:52:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id it9AFV9DuyCT for <tls@ietfa.amsl.com>; Mon, 3 Oct 2016 15:52:09 -0700 (PDT)
Received: from mail-ua0-x231.google.com (mail-ua0-x231.google.com [IPv6:2607:f8b0:400c:c08::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87B1A1293FE for <tls@ietf.org>; Mon, 3 Oct 2016 15:52:09 -0700 (PDT)
Received: by mail-ua0-x231.google.com with SMTP id u68so22549665uau.2 for <tls@ietf.org>; Mon, 03 Oct 2016 15:52:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=RIsitqjmWA1zUKunOHYQaamtmL/Dy6z9lEnYBeMnbcQ=; b=AxbjS6bNyU58nj46yiBvW0o+gjsifFqJwYDS6Z3wRllhf6l/MXP/mYRREIdxkMWJ0G H3TkPaH5Tl5SzWoEIv1lXI1ceTQ+UQw7PrVskHcRexoKeTF5v0FZYF276yWV9i+JqRUq +sa2IT6F+kggWBTbZKHtCvq/3+vU2Jtd4p96O6fjjwgOUkeNBLdor+6g39j3W+CUMmCy J9CBrCrMi9pXbmvsfDRFzRPAiJDaZxkQs+XAVqTQF8XtZPdpFV70EZneh7ZKBKy7tSkT TRpu0XgLyFgyq3zdZx/s0bAYr5VWdR4ZBJH5w+Mdm6DjQdWA5OmtmJqr1YAtCKZd6em9 q5SA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=RIsitqjmWA1zUKunOHYQaamtmL/Dy6z9lEnYBeMnbcQ=; b=JsJvPCjqrEUQsyVtCNLgTkqHqeYqGX6BXofDPbjs+oKverBfkbDT7nQNNRn87mP2Zy LQJ/b1Vs7Vw3TkBgFxi6afhU+wDZUmFYD9SGJsUm1NMLOg4FXqv00V8Fk7RBlr+tWNNN /CFadC1stP/Olxd4/f1CJcACOAqiaIbzR8QXVTCPfjiWEYyJrvZMPPcUtuD/mV9dIpoV 9qtMezsNbkT2BB+dgGMRUybMmN+ABpUqF5kLFXhxOeRaD5F/giwXXzORUosEUVxeVeoJ sM8TBu/aMxLqBUodLTrZtGo9fLzLun8yyYsUzYuP//fG6JUiTEzkGQgHHa2YmwITRgL5 rKTw==
X-Gm-Message-State: AA6/9RmFdeasz5YtYZpsO9lig3SNP6GLNHZ4kRFac58Cn9ByK/4NaWuY9WnamfJQUOgz/2+1WjGVWn3WUdTE4g==
X-Received: by 10.159.49.83 with SMTP id n19mr319374uab.113.1475535128656; Mon, 03 Oct 2016 15:52:08 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.153.195 with HTTP; Mon, 3 Oct 2016 15:51:48 -0700 (PDT)
In-Reply-To: <DM5PR11MB141951D29143A6785089FC5CF4C20@DM5PR11MB1419.namprd11.prod.outlook.com>
References: <DM5PR11MB1419B782D2BEF0E0A35E420DF4C90@DM5PR11MB1419.namprd11.prod.outlook.com> <CO1PR07MB283F2C414B6478E993675DEC3C90@CO1PR07MB283.namprd07.prod.outlook.com> <394611bf-208f-03d3-620c-79aaf169645b@cs.tcd.ie> <4FC37E442D05A748896589E468752CAA0DBC66AE@PWN401EA120.ent.corp.bcbsm.com> <CAH8yC8kgYzYXwJ01NkK7WYxD-diponWEQOd+MNHssm+bLHE54w@mail.gmail.com> <4FC37E442D05A748896589E468752CAA0DBC699B@PWN401EA120.ent.corp.bcbsm.com> <CACsn0c=5vjzQmr=ah6sH1JzTj3peaKad7aCPertcqD4B2DLKiA@mail.gmail.com> <DM5PR11MB141941D8E156245A1CF6C911F4C80@DM5PR11MB1419.namprd11.prod.outlook.com> <126ee1b6-fc88-bf4e-c366-60d59a9b3350@gmail.com> <DM5PR11MB1419F8F0D0C80835C1DB49F2F4C80@DM5PR11MB1419.namprd11.prod.outlook.com> <CAK6vND_S-YRfY5mpvt_v_srNhdvYJkM8pVV84bywr9zMaYoE6A@mail.gmail.com> <DM5PR11MB1419620B8BA15C7780F60669F4CD0@DM5PR11MB1419.namprd11.prod.outlook.com> <CAHOTMVLv7F3-ZuKM+35eL-tOtr8ee-1gqwYy+9zQu2GKrsXkjQ@mail.gmail.com> <DM5PR11MB141951D29143A6785089FC5CF4C20@DM5PR11MB1419.namprd11.prod.outlook.com>
From: Tony Arcieri <bascule@gmail.com>
Date: Mon, 3 Oct 2016 15:51:48 -0700
Message-ID: <CAHOTMVJL9kKmAVvg3f1MHe=iBSrotAxe8JRRkDTydEfj4hrg7g@mail.gmail.com>
To: BITS Security <BITSSecurity@fsroundtable.org>
Content-Type: multipart/alternative; boundary=f403045dce8a328416053dfdcb1a
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/RbN5OpeafaG6WY5_ZvSmcMJ066Q>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Industry Concerns about TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Oct 2016 22:52:11 -0000

On Mon, Oct 3, 2016 at 2:21 PM, BITS Security <BITSSecurity@fsroundtable.org
> wrote:

> If PCI has mandated upgrading TLS because of vulnerabilities, they are
> likely to do it again and in fact have provided strong hints to the market
> where they should be beyond the minimum requirement itself.


This is simply not true. In 2015 the PCI council was pushing for updating
to TLS 1.1+ in short order, but backed off out of "industry concerns"
similar to the ones you are voicing here, and have delayed the mandatory
rollout of TLS 1.1 until 2018.

That's at least two years away.

After that, they will deprecate TLS 1.1. That will probably take at least a
year. So in 2019 (again, pure speculation as to the earliest time this will
possibly happen), TLS 1.2 will be mandatory.

After that, they may deprecate TLS 1.2 if it is demonstrated to be
insecure. There is no reason to suspect at this point that that will even
happen. TLS 1.2 is generally recognized as secure, and the "LTS" profile
should fix whatever low-priority security concerns remain.


> I don't see that the timing really matters because it isn't based on the
> age of the standard, it is based on the standard becoming outdated.


That is absolutely not true. The PCI's motivation for TLS version upgrades
has been real-world security vulnerabilities, and again, it took them 15
years to deprecate TLS 1.0.

There is absolutely no evidence that the PCI council plans on making TLS
1.3 mandatory any time soon, and if we follow a version-a-year cadence
(which they're NOT presently working on, based on the one deprecation data
point we have it's ~3 years per version) it will be 2020 at the earliest
before it happens.

You are asking the IETF to make a serious compromise regarding the security
of the Internet based on *pure speculation*. A minimum degree of due
diligence here would be to first ask the PCI council what their plans for
mandating TLS 1.3 actually are, and if they *actually* give you a date that
scares you, that might be a reason to voice concern so late in the process.

I think what you're proposing is actively harmful to Internet security and
you should be working with the PCI Council, not the IETF, to address your
concerns.

-- 
Tony Arcieri