Re: [TLS] Working Group Last Call for draft-ietf-tls-sslv3-diediedie-00

Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 28 January 2015 08:06 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07F8E1A00E9 for <tls@ietfa.amsl.com>; Wed, 28 Jan 2015 00:06:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4xugbEw1v1hx for <tls@ietfa.amsl.com>; Wed, 28 Jan 2015 00:06:35 -0800 (PST)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.245]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F6C31A004C for <tls@ietf.org>; Wed, 28 Jan 2015 00:06:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=uoa; t=1422432395; x=1453968395; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=Tc+22tEYWls/nVxO5JlUbUrLDLwxVzq+uh3bVkZJYRM=; b=HcYyhixjHzL0VyGmh6M+W495kCjAVMO7bOAhQEFQHm/V2xLJvL27Sf2s foSnAl/fyQsXGlKGJ/RqaamLl5YDLghc9rI8OeEc641GtTGWkPXDdDfpJ fDq1Z26s6AWLzHlb8zMCkNu3gZVhMroSuMDMkHDDA0TcdE2Yu7Boo+vCY I=;
X-IronPort-AV: E=Sophos;i="5.04,630,1406548800"; d="scan'208";a="304108544"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.125 - Outgoing - Outgoing
Received: from uxchange10-fe3.uoa.auckland.ac.nz ([130.216.4.125]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 28 Jan 2015 21:06:34 +1300
Received: from UXCN10-TDC05.UoA.auckland.ac.nz ([169.254.9.148]) by uxchange10-fe3.UoA.auckland.ac.nz ([169.254.143.234]) with mapi id 14.03.0174.001; Wed, 28 Jan 2015 21:06:33 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] Working Group Last Call for draft-ietf-tls-sslv3-diediedie-00
Thread-Index: AdA60VPfS8MwK9YHRGeU1+dc4LoiMg==
Date: Wed, 28 Jan 2015 08:06:32 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73AAF694DD@uxcn10-tdc05.UoA.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/T3LlAlU6juAg0fsJG1XFyjDuZ-s>
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-sslv3-diediedie-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jan 2015 08:06:43 -0000

Dave Garrett <davemgarrett@gmail.com> writes:

>Is it at all practical to publish an TLS RFC stating intent to deprecate TLS
>1.0/1.1 within some fixed timeframe? I think everyone would rather phase it
>out then have to "be the hitman" each time.

I'm happy to have 1.0 phased out, but I'd make the baseline 1.1, not 1.2.  1.1
fixes the major issues with SSL (no support for extensions, no per-message IV)
without being a major rewrite like 1.2 is.  There's an awful lot of stuff
outside of the browser world that can move to 1.1 if it isn't there already,
but that's going to take a long, long time to move to 1.2 if it ever does.
Killing 1.0 (which is really just SSL IETF-ised) is a pretty straightforward
step if you're already getting rid of SSL because it has most of the same
problems, but deprecating 1.1 is going a bit too far.

Peter.