Re: [TLS] Publication has been requested for draft-ietf-tls-oldversions-deprecate-05

"Martin Thomson" <> Thu, 10 October 2019 01:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 84D39120044 for <>; Wed, 9 Oct 2019 18:15:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key) header.b=Ot+qAKgP; dkim=pass (2048-bit key) header.b=QabBCmB/
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id B84W6P7gthMy for <>; Wed, 9 Oct 2019 18:15:39 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2DD47120020 for <>; Wed, 9 Oct 2019 18:15:39 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal []) by mailout.west.internal (Postfix) with ESMTP id 9728862B for <>; Wed, 9 Oct 2019 21:15:38 -0400 (EDT)
Received: from imap2 ([]) by compute1.internal (MEProxy); Wed, 09 Oct 2019 21:15:38 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm3; bh=Xv/3joQpOpuvUABQ/J9Mi0Kec52AwHh n/shnAkuT+3s=; b=Ot+qAKgPCLgTMmk5pcMJGa75fFdOsPJS/zKDstKoqykdP3t W6114wBmE93ffYslg7R8dBq06nsQ9MBO51rPGFIIFydQPgrK/VfhkeD2RkbO+JdF dT6usdC62UKzoyCfElvpelux57xfKwcr48aF5Lyi+ZeVI7c25sg7Jx1nRJIFx8Kq iOcRhKMF7crvD8Cr1Yf7Fa/CLwkNCH5kiWLH/CUy0XYiUMOC8Qmwd/oWssGMo02L kMusg15EdXHURqD/F+46ZgX7BrFS64wgJje3M+bAYfN6oLf4TKkASmnwKAE8wPc4 CAReg37bl6kaCgvg7mSHu6/a/GZs9pk11CZufJA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=Xv/3jo QpOpuvUABQ/J9Mi0Kec52AwHhn/shnAkuT+3s=; b=QabBCmB/Bbweh5JFjnTSUo 7sHUCvJ7m6rdf51RS3Rnjkbt4zDMn326XgcrnIcpZ7+oPd0Acx3HtbxHrifzTigI os2jPozZuF4HM1quEmQ54ezRfsBJXpGC9G8jJ6IAeEbm/j1tbJrg/yruLr/lRDQV EBirIxxH8Iw6uacPguXDTpiU9TmbfuG7HETo+ayXvcYLxvKawaiFotgQ936V0gpq yHiWkGU63T2gN6dnSNlj9AqsGppBNwaJK2REGlf9QPQJOxk5dBiLOhaskKkYDjAx rOx8y4zQxCqpTPOWdbwRmewEu5up2DF4ToSHt8Ertx35VAl0gHXcHeuDiXu6zc9w ==
X-ME-Sender: <xms:OYaeXSRDY953_AqFl441XDaeVxIbvRulVyRcHrswb48yggs5q9tilQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedriedvgdeghecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecuogfuuhhsphgvtghtffhomhgrihhnucdlgeelmdenuc fjughrpefofgggkfgjfhffhffvufgtsehttdertderreejnecuhfhrohhmpedfofgrrhht ihhnucfvhhhomhhsohhnfdcuoehmtheslhhofigvnhhtrhhophihrdhnvghtqeenucffoh hmrghinhepmhiilhdrlhgrnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhhofigv nhhtrhhophihrdhnvghtnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:OoaeXWP_Nk40f5u3cJaFY8i1rf16mxm0a1jTUkOwFlSz9zQLKLvCFg> <xmx:OoaeXW82jv8xo1F_-uA1ME-4rrMLOVLqTtWypRmslqbvVTOk7KQ0RQ> <xmx:OoaeXRmcA7ewI1q_Y0gRs95g8NzMuFRxQ3YER9aCVkxhylWcTEQ5XQ> <xmx:OoaeXfCRd6Cp4gEBhOxB6HpfEbu4-Nz_FiyINYHV106w8umXmh0p0w>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id D7767E00A5; Wed, 9 Oct 2019 21:15:37 -0400 (EDT)
X-Mailer: Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-360-g7dda896-fmstable-20191004v2
Mime-Version: 1.0
Message-Id: <>
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
Date: Thu, 10 Oct 2019 12:15:15 +1100
From: "Martin Thomson" <>
Content-Type: text/plain
Archived-At: <>
Subject: Re: [TLS] =?utf-8?q?Publication_has_been_requested_for_draft-ietf-tl?= =?utf-8?q?s-oldversions-deprecate-05?=
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 10 Oct 2019 01:15:41 -0000

On Thu, Oct 10, 2019, at 00:04, Eric Rescorla wrote:
> draft-ietf-rtcweb-security arch doesn't precisely encourage you to 
> implement DTLS 1.0; there's no normative language at all (even in the 
> non-2119 sense). It makes s factual statement about the history of the 
> document and about the impact of implementing only DTLS 1.2 and leaves 
> it up to the implementor what to do with that statement. I agree that 
> the fact that it bothers to mention it might be read as implying that 
> people should do DTLS 1.0, but that's not actually in the text. Indeed, 
> I could imagine this document including both this text *and* a MUST NOT 
> implement DTLS 1.0 (that's actually how one has to interpret the union 
> of draft-ietf-rtcweb-security-arch and 
> draft-ietf-tls-oldversions-deprecate), with the understanding that the 
> point of the "might encounter interoperability issues" is to document 
> the impact of the MUST NOT requirement.

This is, I think, the best interpretation of the current situation.  At best, you make the same inference you always do: disabling DTLS 1.0 right away comes with some interoperability risks.

Just to add some data on this point: browsers are looking to disable DTLS 1.0 at around the same time, but our data about DTLS 1.0 usage isn't as good as for TLS 1.0, so this is less of a firm commitment.  For instance, this ( is a much higher proportion of the overall, but it is also quite noisy.

Either way, I expect this to go away at the same time or soon after.  We're a little more comfortable being a more aggressive with WebRTC.