Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)

Aaron Zauner <azet@azet.org> Fri, 22 May 2015 02:52 UTC

Return-Path: <azet@azet.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3598E1A8FD2 for <tls@ietfa.amsl.com>; Thu, 21 May 2015 19:52:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zYvnvosMVE8y for <tls@ietfa.amsl.com>; Thu, 21 May 2015 19:52:16 -0700 (PDT)
Received: from mail-wi0-f170.google.com (mail-wi0-f170.google.com [209.85.212.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9D5A1A8F51 for <tls@ietf.org>; Thu, 21 May 2015 19:52:15 -0700 (PDT)
Received: by wibt6 with SMTP id t6so33035749wib.0 for <tls@ietf.org>; Thu, 21 May 2015 19:52:14 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-type:content-disposition:in-reply-to :user-agent; bh=Xq5WzDvuXDmv8ykKyIn0v0kWW0WQigcxQF23vXJxX+M=; b=i8mRSqdz2F2i+2sEJ8IM6G2s75gcy7bvprAb3yWx7/z7Lymn7bL+qzhZiqVjXsTywA KA6dRV6cX4giQjW5f65LYh0B8F9DyqANCF5ElzgeBWce8jw2mJX4xAQQk4AKRwBf9gsm /+4XvXeY4ukeBkQYVAsN0cdBBow9uDeV4cJRPYNOY2EL1rFIUDOGQGsyk2NWbndNBDxs N1D74+7VlywCR1kWpoy2cug2LHECfYD/IFUU3ACUg7lA67TVdSO6kv8gxwW8NeLMU7EY hJ3jkKNsceFNtyK64JVGCK3HMCSXOZw9ddAUI1qRAX6FD7FV6Kho/KyQVtEwkjI2IQ18 ohFA==
X-Gm-Message-State: ALoCoQmtPPCNjudR99uAg6h/X6cvVUMFI02he1awMpLxkkBI03gxQgEnPcMRcTEz8EYwmmYOG+ms
X-Received: by 10.180.86.234 with SMTP id s10mr2987491wiz.50.1432263134516; Thu, 21 May 2015 19:52:14 -0700 (PDT)
Received: from typhoon.azet.org (chello080108032135.14.11.univie.teleweb.at. [80.108.32.135]) by mx.google.com with ESMTPSA id d14sm977231wjn.30.2015.05.21.19.52.13 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 21 May 2015 19:52:13 -0700 (PDT)
Date: Fri, 22 May 2015 04:52:16 +0200
From: Aaron Zauner <azet@azet.org>
To: Martin Thomson <martin.thomson@gmail.com>
Message-ID: <20150522025214.GA21141@typhoon.azet.org>
References: <201505211210.43060.davemgarrett@gmail.com> <CABkgnnW-3ccJqM634dtjgqLGbc11Z2LgFFxpC2EjF-8dKk4o2A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="SUOF0GtieIMvvwua"
Content-Disposition: inline
In-Reply-To: <CABkgnnW-3ccJqM634dtjgqLGbc11Z2LgFFxpC2EjF-8dKk4o2A@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/_HQD4GqNJeI7yr-3Y_wNpgGQtiA>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 May 2015 02:52:17 -0000

Hi,

* Martin Thomson <martin.thomson@gmail.com>; [22/05/2015 01:29:19] wrote:
> I don't think that this is the right way to do this.

I agree. While this is a noble effort, it's the wrong approach to
the problem at hand in my opinion. We do have a BCP from UTA which a
lot of work was put into. It basically tells people to deprecate
everything that's not TLS 1.2 with an AEAD.

> I'm happy to be the one wielding the stick when the time is right, but
> I probably won't come here to do it.

So how about that TLSv1-diediedie document? :)


Aaron