Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice

Eliot Lear <lear@cisco.com> Wed, 02 December 2020 10:42 UTC

Return-Path: <lear@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D84B63A12CD; Wed, 2 Dec 2020 02:42:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Level:
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dcRBEAZN9kAG; Wed, 2 Dec 2020 02:42:34 -0800 (PST)
Received: from aer-iport-1.cisco.com (aer-iport-1.cisco.com [173.38.203.51]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B62DC3A12CC; Wed, 2 Dec 2020 02:42:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4146; q=dns/txt; s=iport; t=1606905754; x=1608115354; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=9zq6+Y/Q1woiEfrfzwol/bTTclZQmPbLxTLwg2niyss=; b=Qvh3QeibLRQUchN+8AdTe+KddZkha7Ut6QRwzDakfkJHRF9MpSbmLCAI mir37DbvDxAD907DpzU97u47YP4+p75bw0J/X9q8I4DtlfnRH9HvQ/GR4 AVsTuXytYXYqXGlSHAJpJBkpAJU6zbhyZ6mIIGwTcHVyudgh6Vv8JZPfI E=;
X-Files: signature.asc : 488
X-IPAS-Result: A0BYAABhb8df/xbLJq1iDg4BAQEBAQEHAQESAQEEBAEBgX0FAQELAYN1ASASLoQ8iQSIIpQXhh+BfAQHAQEBCgMBAS8EAQGESgKCFCY2Bw4CAwEBAQMCAwEBAQEFAQEBAgEGBHGFbYVyAQEBAwEjVgULCwQKCiMHAgJXBhODJgGCZiCsB3aBMoVXhHUQgTgBgVKMCIIAgTgcglU+hC+DJjOCLASQUIJwiSmcD4J8gx6BN5ZeAx+SbI84sRyDawIEBgUCFYFdCCuBVzMaCBsVZQGCPj4SGQ2OWI1SQUADMDcCBgEJAQEDCY46gkQBAQ
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.78,386,1599523200"; d="asc'?scan'208,217";a="31575823"
Received: from aer-iport-nat.cisco.com (HELO aer-core-1.cisco.com) ([173.38.203.22]) by aer-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 02 Dec 2020 10:42:19 +0000
Received: from [10.61.166.94] ([10.61.166.94]) by aer-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 0B2AgIen003732 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 2 Dec 2020 10:42:19 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <1E815E15-8FA5-4FAB-AAC6-1AFE314C7EF5@cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_9F999EE7-3050-4676-B6D3-08DA159778C7"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
Date: Wed, 02 Dec 2020 11:42:17 +0100
In-Reply-To: <1606905451349.74964@cs.auckland.ac.nz>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Keith Moore <moore@network-heretics.com>, "last-call@ietf.org" <last-call@ietf.org>, "draft-ietf-tls-oldversions-deprecate@ietf.org" <draft-ietf-tls-oldversions-deprecate@ietf.org>, "tls-chairs@ietf.org" <tls-chairs@ietf.org>, "tls@ietf.org" <tls@ietf.org>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
References: <160496076356.8063.5138064792555453422@ietfa.amsl.com> <49d045a3-db46-3250-9587-c4680ba386ed@network-heretics.com> <b5314e17-645a-22ea-3ce9-78f208630ae1@cs.tcd.ie> <1606782600388.62069@cs.auckland.ac.nz> <0b72b2aa-73b6-1916-87be-d83e9d0ebd09@cs.tcd.ie> <1606814941532.76373@cs.auckland.ac.nz> <36C74BF4-FF8A-4E79-B4C8-8A03BEE94FCE@cisco.com> <1606905451349.74964@cs.auckland.ac.nz>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
X-Outbound-SMTP-Client: 10.61.166.94, [10.61.166.94]
X-Outbound-Node: aer-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ZKF2w0cIbyKdnd_T1RIVWQOfdYU>
Subject: Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2020 10:42:36 -0000


> On 2 Dec 2020, at 11:37, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
> 
> Eliot Lear <lear@cisco.com> writes:
> 
>> If a device can be at all critical (and even if it isn’t), then it should be
>> upgraded or replaced.
> 
> The fact that many of these devices are extremely critical is precisely why
> they're never replaced or upgraded, because they can't be taken out of
> production.

 I am well aware of vast amounts of insecure systems being out in the wild, up to and including pace makers.  Being critical doesn’t make them any more secure, and we shouldn’t say otherwise.  They are at risk, and we should say so, and not excuse them.

If we want to have operational guidance around how to handle insecure devices, I am ok with that.  Those might include secure facilities, application aware proxies, and other aspects, but I am not sure that is this document.

Eliot