Re: [TLS] TLS 1.3 -> TLS 2.0?

Xiaoyin Liu <> Tue, 30 August 2016 18:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 715EC12D606 for <>; Tue, 30 Aug 2016 11:36:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.507
X-Spam-Level: *
X-Spam-Status: No, score=1.507 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, SUBJ_ALL_CAPS=1.506] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MmJgqo7K-056 for <>; Tue, 30 Aug 2016 11:36:54 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E25D112D763 for <>; Tue, 30 Aug 2016 11:36:53 -0700 (PDT)
Received: from ([]) by over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Tue, 30 Aug 2016 11:36:53 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ntZmCOg+FTMBy/GMX2iFSNeOrDb3VBvIrcmcHP4T0qE=; b=AcXKj5AXmHPlgzLImSpSh30bOQRtkdDcHx7frDa4uvrchg5TFih477us4wlc7XCcq85QkJQNi4ew1fZD6UZyaIAytR1c4Y3/gcKxfMGUbADAhZNB0qrR5bQy4w90ssb5ekD8JHE2E/CO0QvyZuXd+YykFJJO6BaBt5NNh9Kgf1cl8boYMe46dMH4/DfNoQAefYZ2bTybJ94y9xCKD6Pz2dKyn2v7ubWLkkhqN5DgId1CDfrhjQ5dJfEYiOssMuBL5KxDIcKNkha6bbYp+MQ2Riah6MNPT/R+JNJmkZETw46XfSyUMhJ+KQa4tmVj11FhA39DAH3047lLe3TSNIFCZg==
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.587.6; Tue, 30 Aug 2016 18:36:52 +0000
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.609.6 via Frontend Transport; Tue, 30 Aug 2016 18:36:52 +0000
Received: from ([]) by ([]) with mapi id 15.01.0587.013; Tue, 30 Aug 2016 18:36:51 +0000
From: Xiaoyin Liu <>
To: Dave Garrett <>, "" <>
Thread-Topic: [TLS] TLS 1.3 -> TLS 2.0?
Thread-Index: AQHSAusWOU//EHg9i0ibaRgnTsxODaBh1RpW
Date: Tue, 30 Aug 2016 18:36:51 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=softfail (sender IP is;; dkim=none (message not signed) header.d=none;; dmarc=fail action=none;
received-spf: SoftFail ( domain of transitioning discourages use of as permitted sender)
x-incomingtopheadermarker: TopHeader
x-tmn: [q4SH6q6LCPnkuJVB1gfMiK5h71zXHqHt]
x-incomingheadercount: 38
x-eopattributedmessage: 0
x-forefront-antispam-report: CIP:; IPV:NLI; CTRY:; EFV:NLI; SFV:NSPM; SFS:(10019020)(98900003); DIR:OUT; SFP:1102; SCL:1; SRVR:CO1NAM03HT177;; FPR:; SPF:None; LANG:en;
x-microsoft-exchange-diagnostics: 1; CO1NAM03HT177; 6:3SJbGQTWcBNIN2N3GigIBiVLQkBMuqLg7Im7pWiPMBg75HcvhLcCsxmNdRqXBKKEv9C/RJZc8tYXskK1U+tyFh9ioJd9DFpcWVNaWTUh+sxM0Jbrkb/EpPeW7638BMPQIIDQ6EfaLoRcK+4bB5yA+N1poiHpaD51Xafybrp3eIOkuidUPYeqeZc3NsT9mLd7tuAOg6J6UeauC9ufQR7tN2wf0Q19/biU3NAXmseOxxuei60MXPfv17XIPpMmCV74A9O+e9aBpTFUX+oCyJ920bYAtk7pSV4/nQzfhoD9qfCvrJRJJBWLZ3/wh6uJ91No; 5:Je7LVY0whrzpCSziNHbdVA9eLDa/vxa9aOYAs7PEhZuUOZqWvKRlP7pDmQkTrLy4yNPJZskdEQRC382prPnqUtpDS+pFKpwBbwq0cDYr/MvBVwkhw0qh6OvYgv2XQktsbZaq9WNvUSaqicyA5/MsUA==; 24:YTQlt8MvmpavvI1ZqYgAngo7ULUs9zcQJorV3rV9ZCVF7OuKXWF8LD6I4bU7FaaO05T7ahc3GoXADRkrXuM2Kenu2JkpxAI4T5mr257d3Rg=; 7:qVDSIfFRZCAGG7P6My7ADDWLNanHZV9kGK5mkGQuzy8uuISm5xHxt5PTaG8J9oDaZp5LkfxW3+MlMeoFr0b2khrRHqavvdmnnYT9aYk5F3DEuA6Hc/dNsYRj+edL2XHFqnTb66h4/vvPxLRiCeGuOFeTNvL4IDjNJv/fIafohK2xv/hhNjh3z85IVmdma/G17b6TPw4fJpOAtCMNsurvIyw3h7xJNOZ7+x7FqqVWaVJNtzYVT4iGjpgpVSCVj3QO
x-ms-office365-filtering-correlation-id: 0936db3f-f9f9-40f6-c634-08d3d1049bc1
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(1601124038)(1601125047); SRVR:CO1NAM03HT177;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(432015012)(82015046); SRVR:CO1NAM03HT177; BCL:0; PCL:0; RULEID:; SRVR:CO1NAM03HT177;
x-forefront-prvs: 0050CEFE70
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY1PR15MB077803AB565FB6CD20098CEAFFE00CY1PR15MB0778namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Aug 2016 18:36:51.2013 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1NAM03HT177
X-OriginalArrivalTime: 30 Aug 2016 18:36:53.0547 (UTC) FILETIME=[7AA787B0:01D202ED]
Archived-At: <>
Subject: Re: [TLS] TLS 1.3 -> TLS 2.0?
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 30 Aug 2016 18:36:55 -0000

I support this change as long as there is no technical change (version ID remains 0x0304).



From: Dave Garrett<>
Sent: Tuesday, August 30, 2016 2:19 PM
Subject: [TLS] TLS 1.3 -> TLS 2.0?

I occasionally see people ask why we're calling it TLS 1.3 when so much has changed, and I used to simply think that it was too bikesheddy to bother changing at this point. However, now that we've redone negotiation, we have new TLS 1.3+ only cipher suites. The old are not compatible with the new (new codepoints needed for old ciphers) and the new are not backwards compatible with the old (they'll just be ignored). We actually risk misconfiguration in the future if the distinction isn't made clear. I think it's time we just renamed TLS 1.3 to TLS 2.0. There are major changes, so labeling it a major version seems more appropriate.

Note that contrary to what some people seem to think, version numbers are not completely without meaning. To someone who doesn't really know/care that much what TLS is, making sure to use the latest major version of a security protocol carries more weight than a minor version. It also makes it clear that there are new features here (e.g. 0-RTT). There's some de facto standardization in versioning which does carry some useful information. We're not just dealing with programmers here; this stuff needs to be clear for managers and non-professionals. If we want to get everyone upgraded eventually, messaging is important.

Specific proposed changes:
* Mass rename TLS 1.3 to TLS 2.0 in all places (or TLS 2)
* Keep the version ID as { 3, 4 } (already weird counting; changing risks more intolerance)
* Rename the new cipher suites to have a "TLS2_" prefix to be less confusing for the registry & end configuration
* Add a sentence noting the development history here, and that all documents that refer to TLS 1.3 refer to TLS 2.0 (e.g. HTTP/2)

This is a relatively simple set of changes to make that I think can be beneficial in the long run, and is essentially just editorial. Rebranding might not be something everyone really wants to bother with, but if we expect this to be in use for a decade or more (whether we like it or not), we should probably make sure to be as clear as possible at the start.


TLS mailing list