Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice

"STARK, BARBARA H" <bs7652@att.com> Tue, 01 December 2020 15:37 UTC

Return-Path: <bs7652@att.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75BA93A1398; Tue, 1 Dec 2020 07:37:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=att.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ff-3LeVkHb7o; Tue, 1 Dec 2020 07:37:10 -0800 (PST)
Received: from mx0a-00191d01.pphosted.com (mx0b-00191d01.pphosted.com [67.231.157.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 055A43A1431; Tue, 1 Dec 2020 07:36:58 -0800 (PST)
Received: from pps.filterd (m0049458.ppops.net [127.0.0.1]) by m0049458.ppops.net-00191d01. (8.16.0.43/8.16.0.43) with SMTP id 0B1FZ2o7019132; Tue, 1 Dec 2020 10:36:53 -0500
Received: from alpi155.enaf.aldc.att.com (sbcsmtp7.sbc.com [144.160.229.24]) by m0049458.ppops.net-00191d01. with ESMTP id 3544pq1s23-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 01 Dec 2020 10:36:53 -0500
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 0B1Faq0r002586; Tue, 1 Dec 2020 10:36:52 -0500
Received: from zlp27128.vci.att.com (zlp27128.vci.att.com [135.66.87.50]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 0B1Fak6T002480 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 1 Dec 2020 10:36:47 -0500
Received: from zlp27128.vci.att.com (zlp27128.vci.att.com [127.0.0.1]) by zlp27128.vci.att.com (Service) with ESMTP id 524054014C34; Tue, 1 Dec 2020 15:36:46 +0000 (GMT)
Received: from MISOUT7MSGEX2DC.ITServices.sbc.com (unknown [135.66.184.194]) by zlp27128.vci.att.com (Service) with ESMTPS id 38FD740135E8; Tue, 1 Dec 2020 15:36:46 +0000 (GMT)
Received: from MISOUT7MSGED1AA.ITServices.sbc.com (135.66.184.195) by MISOUT7MSGEX2DC.ITServices.sbc.com (135.66.184.194) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2044.4; Tue, 1 Dec 2020 10:36:45 -0500
Received: from MISOUT7MSGETA01.tmg.ad.att.com (144.160.12.221) by MISOUT7MSGED1AA.ITServices.sbc.com (135.66.184.195) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2044.4 via Frontend Transport; Tue, 1 Dec 2020 10:36:45 -0500
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (104.47.55.102) by edgeso1.exch.att.com (144.160.12.221) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2044.4; Tue, 1 Dec 2020 10:36:34 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=k64O8ytacEW8zPUEn4+cOFpzOogyeu8DbwN98Alb5zyUvT8YODX426G6tgmw8KLgmCGVdaltG7YuProOSGOlxz7GlWS1yULnFyx6KBPm+0HZUOZ0HLs1ymyybjTVJrVI2DV4Q+TwHhgEMhgHYIePZkg8BPq9SIwWECMhcoZ2CKzw+qbo9DprvjKqucPYQ72jkqUDAtSf44ayxkUJlmcIs8PDukhOyCl1ewrFQM7UzRbblCwX4ll/Vcwkn88MBSZd3i1Z5j4NFGO7oQXzwlKAOhx4p8rei2B686iTqkzBt7b9OfQmgOPdfWaQWTAsd4aGUW+vn2ixgZWVMF2anomXcQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7LvXBUi4GcSHRWzywJmaMkdNQMOsAqC6Ie3vYXTTwsg=; b=n7R2fFkuV1Mv+vNpX4kGOcWg+VJ0m6f+eroehXUMBnpUeX0BDtZEcXaiqc3INW5Z1ltzUIJdNKx7mvkStFX+GzdRyLaTDbnwfkX9HsUTnh7YSUkA7Ob00TzdjBp6FMOfgxcFBfg/sqAIrVLV4VvlLAiKyjkdh43TMHh6lCDKwzdMt3ETsfZKsox7A6iNS+6c0ffv8lyfjQh8bqdDpu/8Qn15sy6H0+iABk5gs/g7KHtUVO8JuilOo8LwL1QoCHxp0hLKwmjPOhvAaoMQ8cBh1pu3ALh9KDPQZUu4+cDEUWk/rTiVrItKbvyRRkvBACIGrQaKQf/+2Yyz6RaHyYJXdw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=att.com; dmarc=pass action=none header.from=att.com; dkim=pass header.d=att.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=att.onmicrosoft.com; s=selector2-att-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7LvXBUi4GcSHRWzywJmaMkdNQMOsAqC6Ie3vYXTTwsg=; b=v5NDeUUgwAUrVmOUF7gGQa/tGVPpHyhg69d5gTZMS2QeZ4SCQN1+KjZCFeIU9pcdz5ca4G3mFh/k2cDzSu2ySA6EFiTdX85Jhp6QRlyh101DdpuDnLm4twYynSHl7X1obWNnUNS0GP9y37ihk0ZuQchJn0XNkQPZZd5olzxLlT0=
Received: from SN6PR02MB4512.namprd02.prod.outlook.com (2603:10b6:805:a4::13) by SA2PR02MB7548.namprd02.prod.outlook.com (2603:10b6:806:14a::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.22; Tue, 1 Dec 2020 15:36:33 +0000
Received: from SN6PR02MB4512.namprd02.prod.outlook.com ([fe80::1813:2439:6aac:fc24]) by SN6PR02MB4512.namprd02.prod.outlook.com ([fe80::1813:2439:6aac:fc24%6]) with mapi id 15.20.3611.031; Tue, 1 Dec 2020 15:36:33 +0000
From: "STARK, BARBARA H" <bs7652@att.com>
To: 'Eliot Lear' <lear=40cisco.com@dmarc.ietf.org>, 'Peter Gutmann' <pgut001@cs.auckland.ac.nz>
CC: "'last-call@ietf.org'" <last-call@ietf.org>, "'tls-chairs@ietf.org'" <tls-chairs@ietf.org>, "'draft-ietf-tls-oldversions-deprecate@ietf.org'" <draft-ietf-tls-oldversions-deprecate@ietf.org>, "'tls@ietf.org'" <tls@ietf.org>
Thread-Topic: [Last-Call] [TLS] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
Thread-Index: AQHWx3lP/M2BSKTLEk2QRi0n2cnpS6nhaGuAgACRcICAAF4BAIAABLfw
Date: Tue, 01 Dec 2020 15:36:33 +0000
Message-ID: <SN6PR02MB4512D55EC7F4EB00F5338631C3F40@SN6PR02MB4512.namprd02.prod.outlook.com>
References: <160496076356.8063.5138064792555453422@ietfa.amsl.com> <49d045a3-db46-3250-9587-c4680ba386ed@network-heretics.com> <b5314e17-645a-22ea-3ce9-78f208630ae1@cs.tcd.ie> <1606782600388.62069@cs.auckland.ac.nz> <0b72b2aa-73b6-1916-87be-d83e9d0ebd09@cs.tcd.ie> <1606814941532.76373@cs.auckland.ac.nz> <36C74BF4-FF8A-4E79-B4C8-8A03BEE94FCE@cisco.com>
In-Reply-To: <36C74BF4-FF8A-4E79-B4C8-8A03BEE94FCE@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=att.com;
x-originating-ip: [45.18.123.63]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 138d9272-6dcd-4d19-cf29-08d8960ee1cc
x-ms-traffictypediagnostic: SA2PR02MB7548:
x-microsoft-antispam-prvs: <SA2PR02MB754883E775E7D75D0F23DC3FC3F40@SA2PR02MB7548.namprd02.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 1NEtXEhMkgZGpNcKtVx7X2L36zF12hasA+ODLt4UPv1TIJjiViJnr6aj4u/CCsIhYVkuxFoHxv8MxwzrvmFT7zrURnUA/UrHvZaU2p9GXWFfuZ/6hCfAACn+Pv+eCGQBsP77BQD8y7QCPeh/UUo6Uny5PYESLmVX8I+iTf9IVB+zd1qt14Z/xfAGTeEa4gKHSaOIweAH4rYGyWEokHDYr2eWbej60R0IJMRD8M6iV3N9/gh0uENu8u7CrTFBbyHs95VRIUA4QPcnoxXD6qePVYcbtJxT3RHAAq5jEdiYyLZRIKxrB0/s4lhtRxzY0x7AFC7oHUzzpsBnPl6d0/6g9A==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR02MB4512.namprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(376002)(136003)(346002)(396003)(366004)(316002)(186003)(8936002)(26005)(66946007)(83380400001)(7696005)(53546011)(86362001)(2906002)(76116006)(4326008)(82202003)(478600001)(71200400001)(6506007)(55016002)(8676002)(66574015)(66446008)(110136005)(9686003)(54906003)(52536014)(64756008)(66556008)(66476007)(33656002)(5660300002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: nSjWZR7d0udsQ7xpi11eu7QjaVCDq/PQLl38xOdjBlCjg42E/ZD6T2M6+TlAC7k+nIi1DNXwXAF9bxYxLto0Px5YgL0K/mfuM3N5MnOk0YVK693WuzXJwQf8n+iP3vR122Dqev8BIKCG2TASSLqjrcNbPYmGhYB1bYFAGXWY2gLqjGkrauovwBF6klRCZZxTz9e88M9iTJKqAYO1A3txKaVN1eRbAPj4xVNbyOhshhBX1l5xlU8KS2WFiet2/2r0MCaI349rRicCsLFkalJUN6kCBeP5gpXXKpmzFjimfB5jWajhIp/p8VUbYgBqsNpGy2gbP/w5SeqylJvtBvr2jNyXpEdDzFDs3TkniUAQVn4Nhc4IDjkyxRZFJbbEmZ1AIwee/LVmkuH1YkaGI9JdTFYOtVI2Dae/GFYBbIcpvkLhR3ndj7SHv22RlzSRN22LW4nGmWT8IOuuPH080DOeHppjlgDqU0tS7O9SM85i81AdJnUUsM5+BKofpP4yvB9lK9uVuQNPrExyNEORNIhTwHtkw/cXU3YnZi8iD9t8v3VTLXgSK5Lx+3KQaXH9EuYCrBAcMkrr3XzmZSJJpqkiNfi+MthcSp5sZ8NUtehxh/zl8iwhSRtiP5P7uxqSt34CJ2UtIPiHzm4I9Hv7NTyHpPpSm+YYbHHUXqQEs7OqEQZ3RmNnZ61FrXimmnsq1jja+05Yyd5xF08bm5WwATLggKDi99efSgSI8saMugVbr/r+m1FKdJKkEKtxmkCPY5yEO4SW+FUVlTKk/hd9yd1fe5TElksks7RJxuFpCUZEsWPFTKHwrCNWmktSoeny4VLH0hTMOT5tfhN7sMRL2ZUmvxF0fb7pjQw5wATTGmEcbYTvrVB0NJaJFrs2N6HRtDEII4pdO06+SL2+StQx1zS76bgYGuwdDLT53Hw6uyOz0AW6qQXQVGHR2TjH5jZmcykM/R/MzPQV0hk2YJ+TuXjo04rteL53intGqOmuImPwT1M=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SN6PR02MB4512.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 138d9272-6dcd-4d19-cf29-08d8960ee1cc
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Dec 2020 15:36:33.3490 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: e741d71c-c6b6-47b0-803c-0f3b32b07556
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: QB1nM/IlqCU+TzjesLFrKNlntL3OSDPwrJUueiBCcZfFQoYfGtc9T9CiI7LyShgx
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA2PR02MB7548
X-OriginatorOrg: att.com
X-TM-SNTS-SMTP: D33CD2742BBD3759F066E6F6E890EBD7E998B5B2D3C55B7EA3A0D15412ED38A02
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312, 18.0.737 definitions=2020-12-01_07:2020-11-30, 2020-12-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 phishscore=0 clxscore=1011 suspectscore=0 impostorscore=0 spamscore=0 bulkscore=0 lowpriorityscore=0 mlxscore=0 adultscore=0 mlxlogscore=774 priorityscore=1501 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2012010099
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/W1lxRWVWicb2WDd6viY16FI5oXE>
Subject: Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2020 15:37:12 -0000

> It is incredibly difficult to draw a line so precisely as to where the threat to a
> device begins and ends, given the wide range of deployment scenarios.  If a
> device can be at all critical (and even if it isn’t), then it should be upgraded or
> replaced.  Better that this be out there in its current form so that other
> organizations that specify TLS requirements can pick this document up
> without any wiggle room or ambiguity.  Also, we do not have a “Sometimes
> Deprecated” category, nor do I think we should start here.
> 
> Eliot

Speaking as someone who has participated in internal discussions on whether to ignore something like this (e.g., even after Wi-Fi Alliance deprecated WEP there was a decision to continue to support WEP for a few years because of the embedded base of non-upgradable devices; same for WPA1), I would suggest the strong, unambiguous statement with explanation for why the statement is being made. There is no need to describe (possible) exceptions. If someone feels a strong need to ignore this in their own network, they will have no difficulty doing so (and have no difficulty justifying it to themselves and others inside their org). I don't think IETF help is needed to figure out these scenarios/reasons/justifications.
Barbara

> > On 1 Dec 2020, at 10:29, Peter Gutmann <pgut001@cs.auckland.ac.nz>
> wrote:
> >
> > Stephen Farrell <stephen.farrell@cs.tcd.ie> writes:
> >
> >> That said, if someone had words to suggest that might garner consensus,
> that
> >> would be good.
> >
> > I think all it needs is something along the lines of "This BCP applies to TLS
> > as used on the public Internet [Not part of the text but meaning the area
> that
> > the IETF creates standards for].  Since TLS has been adopted in a large
> number
> > of areas outside of this, considerations for use in these areas are left to
> > relevant standards bodies to define".
> >
> > Peter.