[TLS] Re: Adoption call for TLS 1.2 Update for Long-term Support

Eric Rescorla <ekr@rtfm.com> Tue, 05 November 2024 21:46 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A332C14F614 for <tls@ietfa.amsl.com>; Tue, 5 Nov 2024 13:46:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id faz5jUtSMqIQ for <tls@ietfa.amsl.com>; Tue, 5 Nov 2024 13:46:38 -0800 (PST)
Received: from mail-yb1-xb2f.google.com (mail-yb1-xb2f.google.com [IPv6:2607:f8b0:4864:20::b2f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99CDEC1D8752 for <tls@ietf.org>; Tue, 5 Nov 2024 13:46:24 -0800 (PST)
Received: by mail-yb1-xb2f.google.com with SMTP id 3f1490d57ef6-e2974743675so5112943276.1 for <tls@ietf.org>; Tue, 05 Nov 2024 13:46:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1730843183; x=1731447983; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=cflcG3Mitt9Cg4f/aPdibldgeXQEku07Z8LMoMN6DtM=; b=JyQBjvCcXJOBq90JN9lW5iKq5mIDN03qkVeCQVy7a/dQn1qFFnysGaUfJ2dl2FxM3b nQt9lbyr9uDEjghaZ3gN4mu2b+FDoRxZYlRyydVD87yIT3LY2Mp0m93aeSKOeX3pWxx4 0fQ2xR0gL2DZLCBjim1uWw1GSIopy1Wp+32X8JGgz4Da6RcwBqtL973mt0rqR5uMf3wm n7ZOhfCCDlVd7b27eqB1X+TEkIMv+R6OCAHn4N618L2GSWl1tjbQXElfmaNB00oYo6Rq rCLM2AsZG6zSkbO3h9xUOTnT8Nuv2TLNCzGo7CaG6KosoQ5md6nLfhrk+gC1hlGM35c5 Dx4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1730843183; x=1731447983; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=cflcG3Mitt9Cg4f/aPdibldgeXQEku07Z8LMoMN6DtM=; b=TLGB6v9YDGgYHN03FrhTWT4fTiJKDQPj7JTysLJrecQxO/9edy5MNVJTY9bSQxh2ps f+9MZACvA4RZ4w6yZNrTh63pjHV+8nEdgANcnHyASCXkogJd5IFABEezJXZw1Bm03RR+ Wp9ZpCVxC7mqQt+qUDInc/Y6YjeqRkc6xEWLi2ZtaIDfPyywdYYJvu8Zn0r7sqy9NykE I7G4pH0iC6L/XpVJ8wBLvQqNUHCb7RlnLw5u+9MbJQx0aw5CqiPH2vUfmL4zbiy+o7oL 0fZRRKmIwk1YSPUhWDMLYHxu9+/TwSTnjNZrhezWEOXcK6j68r5FE/DFpTFQHKUp8n6q uMHg==
X-Forwarded-Encrypted: i=1; AJvYcCUFhVEuQ1tjr7rxTzOMwKiV+yM3fdzBHQvlOh763BN+tZCCJTC6aKlb886vhJylpA4SNxg=@ietf.org
X-Gm-Message-State: AOJu0YwOotz6Ph99jR1oYsI3eeMnOAMLX5U4uR+hFIAHageaK30FVrCx AZg+OSYhqHcJZX/2cBXmWXR74L6a6zIvwUNd/AyA7Iv8hCM2c46HGjqbfQbbVOE49w962Dn67gb AhuK6qr4sq1zs5W7m3BpYmBwd1eJSW0QBz40Hgpoqu2udWHGq/QZcVA==
X-Google-Smtp-Source: AGHT+IEHZxqk8HtBMtK9DdRJqpNRxUiOZueUhUtdC8bljugA1ZcGv+7u+HmEFwUYmyKxtPHaGwkjXZiUmrruf9iO+qo=
X-Received: by 2002:a05:690c:620a:b0:6e7:f940:fe81 with SMTP id 00721157ae682-6ea523213b2mr224556297b3.6.1730843183309; Tue, 05 Nov 2024 13:46:23 -0800 (PST)
MIME-Version: 1.0
References: <278163DF-0CB8-472F-84CB-0B8236FEC7C1@sn3rd.com> <231D5F24-E1AE-4F7C-9860-F6B0FF79D6FF@akamai.com> <CACcvr=nX=pk+uZMgBomWjaD54aW0KRtbL-voY4-PHCynELZdDw@mail.gmail.com> <9CE2D516-B780-481A-8A5D-E5DEC900D2E6@broadcom.com>
In-Reply-To: <9CE2D516-B780-481A-8A5D-E5DEC900D2E6@broadcom.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 05 Nov 2024 13:45:47 -0800
Message-ID: <CABcZeBNbNU0qrzGj3O8dkjOHL3atzO287UF=YbW1C161mG-b3w@mail.gmail.com>
To: Arnaud Taddei <arnaud.taddei=40broadcom.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001a82d706263155a3"
Message-ID-Hash: CFKJH5JLNXQZXQWKDQEXDZ7BYTAGLVGJ
X-Message-ID-Hash: CFKJH5JLNXQZXQWKDQEXDZ7BYTAGLVGJ
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Rich Salz <rsalz=40akamai.com@dmarc.ietf.org>, "TLS@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Adoption call for TLS 1.2 Update for Long-term Support
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/SH83eU2SRu5m4b7C6cFEgSSD3oM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

I am against adoption.

As Nick and Watson note, this is not just a profile of TLS 1.2 but is
rather a set of negotiated with a new extension code point, i.e., it's
effectively a new version of TLS with as yet only lightly analyzed security
properties. We already have a new version of TLS which has been heavily
analyzed and widely deployed, namely TLS 1.3.

There's nothing stopping people deploying this if they want to and in fact
there is already a code point assigned. However, the TLS WG should not take
up this work.

-Ekr

On Tue, Nov 5, 2024 at 1:21 PM Arnaud Taddei <arnaud.taddei=
40broadcom.com@dmarc.ietf.org> wrote:

> I do support the adoption of this draft.
>
> This draft is a very good product and the details and care that this draft
> exhibits is in itself a testimony of someone who has a real production
> experience, is realistic and pragmatic.
>
> There is a big difference between
> patching an endpoint to a variation of TLS1.2 which is meant to work in a
> ’TLS1.2 designed environment”
> Vs
> patching an endpoint to TLS1.3 in an environment that was ’TLS1.2 designed
> environment’
>
> If the organisation that needs to manage a security risk is given a choice
> of
> 1) Patch to TLS-LTS
> 2) Patch to TLS1.3
>
> Any risk manager is going to ask the qualification of the implications on
> both and the result will be that 1) will be far less intrusive and risky
> than 2)
>
> Moreover the bench-test platform that the solution needs to go through to
> prove its production readiness may not be able to support TLS1.3 at all.
>
> Not adopting this draft leaves only one choice to any customer with no
> guarantees that the patching to TLS1.3 will work in its TLS1.2 designed
> end-to-end environment at a manageable time, cost and ‘go to production’ or
> ‘go to market’ time, and risk.
>
> Worse, it could have unanticipated consequences like breaking compliancy
> to regulations, to safety and I can just imagine how it could move the
> risks from bits and bytes to blood and flesh.
>
> My 0.02 Swiss francs
>
> *Arnaud Taddei*
> Global Security Strategist | Enterprise Security Group
>
> *mobile:* +41 79 506 1129
> Geneva, Switzerland
> arnaud.taddei@broadcom.com | broadcom.com
>
> On 5 Nov 2024, at 19:48, Nick Harper <ietf@nharper.org> wrote:
>
> I understand the stated goal of this draft to be to provide a way for
> hard-to-update endpoints to keep using TLS 1.2 in a secure way. The idea of
> a document that describes how to safely deploy TLS 1.2 sounds like a good
> idea, e.g. "use only these cipher suites, require EMS and RI, etc". This
> draft is not that.
>
> This draft makes changes to the TLS handshake protocol, which undermines
> the goal of supporting hard-to-update endpoints. The two changes made to
> the protocol are also addressed by RFC 8446. If endpoints need to be
> updated to support TLS-LTS, it would make more sense to update them to
> support TLS 1.3 than TLS-LTS.
>
> The rationale section (3.7) of the draft presents two reasons for using
> TLS-LTS over TLS 1.3. The first is the slow deployment cadence of a new
> protocol. LTS requires a change to the protocol and deployment of that new
> change, no different from 1.3. The second reason is fear of the unknown in
> 1.3: "TLS 1.3 is an almost entirely new protocol. As such, it rolls back
> the 20 years of experience that we have with all the things that can go
> wrong in TLS". The 20 years of all the things that can go wrong in TLS were
> due to unsound cryptographic decisions. The research and analysis that
> found those 20 years of issues was applied to the design of 1.3 to avoid
> making the same mistakes. 1.3 doesn't roll back that experience, and we now
> have over 8 years of experience with 1.3.
>
> I do not support adoption of the draft in this format. If the draft made
> no changes to the TLS 1.2 protocol and were deployable only through
> configuration changes (e.g. a fixed list of cipher suites and extensions),
> I would probably support it.
>
> On Tue, Nov 5, 2024 at 11:02 AM Salz, Rich <rsalz=
> 40akamai.com@dmarc.ietf.org> wrote:
>
>> I strongly support adoption.
>>
>> I do not understand why anyone would be opposed to the IETF making
>> deployment recommendations. I can understand why someone might be bothered
>> by the impliciation that *THIS ONE WAY* is the only way to get long-term
>> support, especially if it's seen to contradict our encouragement of TLS
>> 1.3. But that is an editorial issue that can be easily fixed.
>>
>> I would like to see this adopted, a short change cycle, and then advanced
>> in the same cluster with our TLS 1.2 is frozen document.
>>
>>
>> _______________________________________________
>> TLS mailing list -- tls@ietf.org
>> To unsubscribe send an email to tls-leave@ietf.org
>>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>
>
>
> This electronic communication and the information and any files
> transmitted with it, or attached to it, are confidential and are intended
> solely for the use of the individual or entity to whom it is addressed and
> may contain information that is confidential, legally privileged, protected
> by privacy laws, or otherwise restricted from disclosure to anyone else. If
> you are not the intended recipient or the person responsible for delivering
> the e-mail to the intended recipient, you are hereby notified that any use,
> copying, distributing, dissemination, forwarding, printing, or copying of
> this e-mail is strictly prohibited. If you received this e-mail in error,
> please return the e-mail to the sender, delete it from your computer, and
> destroy any printed copy of it.
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>