Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1.1"

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 26 April 2019 01:30 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AC391200A1 for <tls@ietfa.amsl.com>; Thu, 25 Apr 2019 18:30:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TCb9OeI1BOpD for <tls@ietfa.amsl.com>; Thu, 25 Apr 2019 18:30:03 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6BF0120086 for <tls@ietf.org>; Thu, 25 Apr 2019 18:30:03 -0700 (PDT)
Received: from [10.200.0.109] (unknown [8.2.105.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 8DF832AF5C8 for <tls@ietf.org>; Thu, 25 Apr 2019 21:30:01 -0400 (EDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <28511b10-8f6a-4394-95a9-5188130f7b58@www.fastmail.com>
Date: Thu, 25 Apr 2019 21:30:00 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: IETF TLS WG <tls@ietf.org>
Message-Id: <2EF7433E-DB94-497F-80D7-2A060097261B@dukhovni.org>
References: <28511b10-8f6a-4394-95a9-5188130f7b58@www.fastmail.com>
To: IETF TLS WG <tls@ietf.org>
X-Mailer: Apple Mail (2.3445.104.8)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/TpO-u2_YmZbLPWsss3JK4IgEVNY>
Subject: Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1.1"
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Apr 2019 01:30:07 -0000

> On Apr 12, 2019, at 7:28 PM, Christopher Wood <caw@heapingbits.net> wrote:
> 
> This is the working group last call for the "Deprecating TLSv1.0 and TLSv1.1” draft available at:
> 
>    https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/
> 
> Please review the document and send your comments to the list by April 26, 2019.

My concern is whether the time is yet nigh for TLS 1.0 to be disabled
in opportunistic TLS in SMTP, or whether TLS 1.0 remains sufficiently
common to cause deprecation to do more harm than good via unnecessary
downgrades to cleartext.

I don't have survey numbers for SMTP TLS protocol versions across MTAs
generally to shed light on this, perhaps someone does.  What I do have
is numbers for those MTAs (not a representative sample) that have DANE
TLSA records (so presumably a greater focus on security).

The observed version frequencies are approximately:

	TLS 1.0:  1%
	TLS 1.1:  0%
	TLS 1.2: 87%
	TLS 1.3: 12%

essentially regardless of whether I deduplicate by name, IP or name and IP.
The respective sample sizes are 5435, 6938 and 7959.

So if a DANE-enabled sender were to disable TLS 1.0 today, approximately
1% of the destination MX hosts would be broken and need remediation.  These
handle just of 189 mostly small SOHO domains out of the ~1.1 million total
DANE SMTP domains, but four handle enough email to show up on the Gmail
SMTP transparency report:

  tu-darmstadt.de
  t-2.net
  t-2.com
  t-2.si

So on the whole, the draft should proceed, but some caution may be appropriate
outside the browser space, before operators start switching off TLS 1.0 support.

I don't see an operational considerations section.  Nor much discussion of
"less mainstream" (than Web browser) TLS application protocols.  Would a few
words of caution be appropriate, or is it expected that by the time the RFC
starts to change operator behaviour the "market share" of TLS 1.0 will be
substantially lower than I see today even with SMTP, XMPP, NTTP and the like.

[ I would speculate that TLS 1.0's share is noticeably higher among MTAs
  generally than among the bleeding-edge MTAs that have published DANE TLSA
  RRs. ]

-- 
	Viktor.