[TLS] TLS1.2 vs TLS1.0
Ulrich Herberg <ulrich@herberg.name> Mon, 20 May 2013 20:47 UTC
Return-Path: <ulrich@herberg.name>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1632F21F965C for <tls@ietfa.amsl.com>; Mon, 20 May 2013 13:47:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dtTdie9q3SP4 for <tls@ietfa.amsl.com>; Mon, 20 May 2013 13:47:10 -0700 (PDT)
Received: from mail-vb0-x235.google.com (mail-vb0-x235.google.com [IPv6:2607:f8b0:400c:c02::235]) by ietfa.amsl.com (Postfix) with ESMTP id 20C7821F9654 for <tls@ietf.org>; Mon, 20 May 2013 13:47:09 -0700 (PDT)
Received: by mail-vb0-f53.google.com with SMTP id i3so4146251vbh.12 for <tls@ietf.org>; Mon, 20 May 2013 13:47:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herberg.name; s=dkim; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=GencEU9eo1qcngfQk4Fhi2VcE5L3G0ckdIvPlLoFf1A=; b=rCQ37SC2nKHV9+ijmIjFRCQefCfJ+0QhyiKU14L36orKarIeBsaTzLHxpW7DbS3Knk wrS9b2RgRxo1sRhL+5CpQcnS4yhs8UcQHBuwroSrVtafHnDnnd4Dy8ksXiZHisJ86dPe pwS+9XegIEsHr9o8ozsn7UJAXjXUWaO4Y/8p0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type:x-gm-message-state; bh=GencEU9eo1qcngfQk4Fhi2VcE5L3G0ckdIvPlLoFf1A=; b=SwBglDHPl7nNXqWmFuNh9xUap1eSotpKCoq2Wn6fzAY1LapUg4H9BT13VTcG1Ua8wP /TqgsLX6M3fC1rbpzHSgzdjAsTZXLJyyX1x9GwRSR377b9/wsaku8nonrAz0k3GV0Erb 3xdXIOy72L79NcdXveoAm0TfCw0+T7s2hjcrR2xkFTeVE7s7gTppqZTYdo6dpMHkyvpC bafZzShYban5yy55GkauQhMlp5eSoeTOQopTf3S1KW17pFXTi9ztRzOEP+dO0qR4FcpK /dAG71j1yVHiBV7mE/d4Rq3qtoX12op3RmxEuQ53LQkaDicncrEo8JZIqI4iUENG+JGn hoSA==
MIME-Version: 1.0
X-Received: by 10.52.165.76 with SMTP id yw12mr11635061vdb.93.1369082828940; Mon, 20 May 2013 13:47:08 -0700 (PDT)
Received: by 10.220.195.134 with HTTP; Mon, 20 May 2013 13:47:08 -0700 (PDT)
Date: Mon, 20 May 2013 13:47:08 -0700
Message-ID: <CAK=bVC8EZCCpG4+kzYUk+i5a_=Nh4AEGkuFJEC45cBSLLdnoTg@mail.gmail.com>
From: Ulrich Herberg <ulrich@herberg.name>
To: tls@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQlBzMBvgRwYE0PLd9Hft4AJeNliZDvv1j19f8MVBuLbpsUa6gUAQLOghRZN0Tb4zv23nzEU
Subject: [TLS] TLS1.2 vs TLS1.0
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 May 2013 20:47:11 -0000
Hi, I have not followed this WG, so please forgive me if a similar question has already been discussed. I am participating in another SDO on a standard for automated Demand Response, called OpenADR (www.openadr.org), an application for the smart grid. The application is basically a web service, exchanging XML over HTTP over public networks, and using TLS (with RSA and ECDSA / SHA1 ciphers for TLS 1.0 and SHA2 for TLS1.2). Currently, the draft allows for TLS1.0 and 1.1, but recommends using 1.2 (and requires vendors to provide a migration plan in case TLS1.0 is obsoleted) . TLS1.0 and 1.1 RFCs have been obsoleted by the IETF; but I am not sure about the best current practice. Is it absolutely discouraged to use them? The argument in the OpenADR alliance is that many libraries and programming languages do not support TLS1.2, so they recommend to start the handshake with 1.2 and then downgrade - if required - to 1.0. I read that NIST disallows SHA1 after 2013; which would also affect TLS1.0, which does not support SHA2. What would be your recommendation in this case? Mandate TLS1.2 and disallow TLS1.0? Or just strongly recommend ("SHOULD") to use TLS1.2 and SHA2 ciphers, and otherwise to use TLS1.0? Best regards Ulrich
- Re: [TLS] TLS1.2 vs TLS1.0 Paul Duffy
- [TLS] TLS1.2 vs TLS1.0 Ulrich Herberg
- Re: [TLS] TLS1.2 vs TLS1.0 Robert Cragie
- Re: [TLS] TLS1.2 vs TLS1.0 Nikos Mavrogiannopoulos
- Re: [TLS] TLS1.2 vs TLS1.0 Hanno Böck
- Re: [TLS] TLS1.2 vs TLS1.0 David McGrew (mcgrew)
- Re: [TLS] TLS1.2 vs TLS1.0 Martin Rex
- Re: [TLS] TLS1.2 vs TLS1.0 Paterson, Kenny
- Re: [TLS] TLS1.2 vs TLS1.0 Martin Rex
- Re: [TLS] TLS1.2 vs TLS1.0 Ulrich Herberg
- Re: [TLS] TLS1.2 vs TLS1.0 Xiaoyong Wu
- Re: [TLS] TLS1.2 vs TLS1.0 Eric Rescorla
- Re: [TLS] TLS1.2 vs TLS1.0 Ulrich Herberg
- Re: [TLS] TLS1.2 vs TLS1.0 Ulrich Herberg
- Re: [TLS] TLS1.2 vs TLS1.0 Geoffrey Keating
- Re: [TLS] TLS1.2 vs TLS1.0 Martin Rex
- Re: [TLS] TLS1.2 vs TLS1.0 Martin Rex
- Re: [TLS] TLS1.2 vs TLS1.0 Martin Rex
- Re: [TLS] TLS1.2 vs TLS1.0 Eric Rescorla
- Re: [TLS] TLS1.2 vs TLS1.0 Kemp, David P.
- Re: [TLS] TLS1.2 vs TLS1.0 Peter Gutmann
- Re: [TLS] TLS1.2 vs TLS1.0 Simon Josefsson