Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)
Jeffrey Walton <noloader@gmail.com> Sun, 24 May 2015 23:24 UTC
Return-Path: <noloader@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03B8A1A01F0 for <tls@ietfa.amsl.com>; Sun, 24 May 2015 16:24:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.899
X-Spam-Level:
X-Spam-Status: No, score=0.899 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO=1, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pp4ue1qxb6Bq for <tls@ietfa.amsl.com>; Sun, 24 May 2015 16:24:14 -0700 (PDT)
Received: from mail-ig0-x22d.google.com (mail-ig0-x22d.google.com [IPv6:2607:f8b0:4001:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA0B81A01A8 for <tls@ietf.org>; Sun, 24 May 2015 16:24:14 -0700 (PDT)
Received: by igbhj9 with SMTP id hj9so26700902igb.1 for <tls@ietf.org>; Sun, 24 May 2015 16:24:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=yu/TPfFhpaL/rqAoDX9s638J6+IEGjT6/iOjd5qr8FI=; b=FPfI2IyYZQz7piSzmmv3nl+fdbt5LjZ4y1FiarMHu90PLCaF6vqWXuQcLIe5R+MuAB H+TQSoL7GaSmvLnSWXeGCnuXOTRr/HT02V7LKxiibC0/BTjqhVdN63BENr4FVmVM5aCS /TO7ee/HRBgALRNDmiMYvHF6vOZoFGvBApgcfMf7+YhovOegZ3ATq/x51SLiQk+/YnPU Hah1jA3ioV8kgaf/hWwM45AjVkokylq8C7pET072HqQSPBAR80JIIT8bZh7DZoq1SBll NA/ViiJoeXvxiTRRfn9lRMdmDx5yCPBB+IqWaYX9YtCH69FW22xh9MpdGI0TVbsKuI3h yqBg==
MIME-Version: 1.0
X-Received: by 10.107.29.148 with SMTP id d142mr25963600iod.9.1432509854203; Sun, 24 May 2015 16:24:14 -0700 (PDT)
Received: by 10.36.77.15 with HTTP; Sun, 24 May 2015 16:24:14 -0700 (PDT)
In-Reply-To: <r422Ps-1075i-2FE4AF2631A54E739D4B8EB0C4ED46AB@Williams-MacBook-Pro.local>
References: <201505221236.34122.davemgarrett@gmail.com> <r422Ps-1075i-2FE4AF2631A54E739D4B8EB0C4ED46AB@Williams-MacBook-Pro.local>
Date: Sun, 24 May 2015 19:24:14 -0400
Message-ID: <CAH8yC8krR4auA7Q_0K1iRzvSYNh1FNopHsK+TWv_6OLL_v9p9Q@mail.gmail.com>
From: Jeffrey Walton <noloader@gmail.com>
To: Bill Frantz <frantz@pwpconsult.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/cICWIXW1WN2UTTEH8V8NzDehvPc>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: noloader@gmail.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 May 2015 23:24:16 -0000
On Fri, May 22, 2015 at 5:52 PM, Bill Frantz <frantz@pwpconsult.com> wrote: > On 5/22/15 at 9:36 AM, davemgarrett@gmail.com (Dave Garrett) wrote: > >> On Friday, May 22, 2015 11:38:14 am Salz, Rich wrote: >>> >>> Most of the net doesn't support IPv6. >> >> This is an ISP issue. Plenty of clients support it, but their network >> won't route it. > > Here is another case where revenue models have a significant impact on > security. (Another is the CA system.) ISPs charge extra for IP addresses > that can run servers. If every device has its own IPv6 address, then every > device can run a server. ISPs like IPv4 and NAT. Some of the latest standards are removing IP addresses from X.509 certificates. It appears to be doing so without consideration for the revenue model. I think its more influence from the browsers because it shows up in HTTP Strict Transport Security (HSTS), Appendix A; and the upcoming Public Key Pinning with Overrides (HPKP). Because its being influenced by the browsers, I'm guessing the only revenue model being considered is the third party ad model, where a client is told to fetch a resource and possibly execute code from a third party server so the origin can get paid. I don't know what the IETF's official policy is on DNS names versus IP addresses. Jeff
- [TLS] prohibit <1.2 support on 1.3+ servers (but … Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Loganaden Velvindron
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Thijs van Dijk
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Jeffrey Walton
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Kurt Roeckx
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yuhong Bao
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Watson Ladd
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Rex
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Thomson
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Aaron Zauner
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Tony Arcieri
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Thomson
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Aaron Zauner
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Thomson
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Tony Arcieri
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Xiaoyin Liu
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Rex
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Hubert Kario
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Peter Gutmann
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Xiaoyin Liu
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Salz, Rich
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Salz, Rich
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Ronald del Rosario
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Dave Garrett
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Geoffrey Keating
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Tony Arcieri
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Jeffrey Walton
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Bill Frantz
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Peter Gutmann
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Geoff Keating
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Jeffrey Walton
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Florian Weimer
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Yuhong Bao
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Martin Thomson
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Salz, Rich