Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)

Jeffrey Walton <noloader@gmail.com> Sun, 24 May 2015 23:24 UTC

Return-Path: <noloader@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03B8A1A01F0 for <tls@ietfa.amsl.com>; Sun, 24 May 2015 16:24:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.899
X-Spam-Level:
X-Spam-Status: No, score=0.899 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO=1, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pp4ue1qxb6Bq for <tls@ietfa.amsl.com>; Sun, 24 May 2015 16:24:14 -0700 (PDT)
Received: from mail-ig0-x22d.google.com (mail-ig0-x22d.google.com [IPv6:2607:f8b0:4001:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA0B81A01A8 for <tls@ietf.org>; Sun, 24 May 2015 16:24:14 -0700 (PDT)
Received: by igbhj9 with SMTP id hj9so26700902igb.1 for <tls@ietf.org>; Sun, 24 May 2015 16:24:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=yu/TPfFhpaL/rqAoDX9s638J6+IEGjT6/iOjd5qr8FI=; b=FPfI2IyYZQz7piSzmmv3nl+fdbt5LjZ4y1FiarMHu90PLCaF6vqWXuQcLIe5R+MuAB H+TQSoL7GaSmvLnSWXeGCnuXOTRr/HT02V7LKxiibC0/BTjqhVdN63BENr4FVmVM5aCS /TO7ee/HRBgALRNDmiMYvHF6vOZoFGvBApgcfMf7+YhovOegZ3ATq/x51SLiQk+/YnPU Hah1jA3ioV8kgaf/hWwM45AjVkokylq8C7pET072HqQSPBAR80JIIT8bZh7DZoq1SBll NA/ViiJoeXvxiTRRfn9lRMdmDx5yCPBB+IqWaYX9YtCH69FW22xh9MpdGI0TVbsKuI3h yqBg==
MIME-Version: 1.0
X-Received: by 10.107.29.148 with SMTP id d142mr25963600iod.9.1432509854203; Sun, 24 May 2015 16:24:14 -0700 (PDT)
Received: by 10.36.77.15 with HTTP; Sun, 24 May 2015 16:24:14 -0700 (PDT)
In-Reply-To: <r422Ps-1075i-2FE4AF2631A54E739D4B8EB0C4ED46AB@Williams-MacBook-Pro.local>
References: <201505221236.34122.davemgarrett@gmail.com> <r422Ps-1075i-2FE4AF2631A54E739D4B8EB0C4ED46AB@Williams-MacBook-Pro.local>
Date: Sun, 24 May 2015 19:24:14 -0400
Message-ID: <CAH8yC8krR4auA7Q_0K1iRzvSYNh1FNopHsK+TWv_6OLL_v9p9Q@mail.gmail.com>
From: Jeffrey Walton <noloader@gmail.com>
To: Bill Frantz <frantz@pwpconsult.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/cICWIXW1WN2UTTEH8V8NzDehvPc>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: noloader@gmail.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 May 2015 23:24:16 -0000

On Fri, May 22, 2015 at 5:52 PM, Bill Frantz <frantz@pwpconsult.com>; wrote:
> On 5/22/15 at 9:36 AM, davemgarrett@gmail.com (Dave Garrett) wrote:
>
>> On Friday, May 22, 2015 11:38:14 am Salz, Rich wrote:
>>>
>>> Most of the net doesn't support IPv6.
>>
>> This is an ISP issue. Plenty of clients support it, but their network
>> won't route it.
>
> Here is another case where revenue models have a significant impact on
> security. (Another is the CA system.) ISPs charge extra for IP addresses
> that can run servers. If every device has its own IPv6 address, then every
> device can run a server. ISPs like IPv4 and NAT.

Some of the latest standards are removing IP addresses from X.509
certificates. It appears to be doing so without consideration for the
revenue model.

I think its more influence from the browsers because it shows up in
HTTP Strict Transport Security (HSTS), Appendix A; and the upcoming
Public Key Pinning with Overrides (HPKP).

Because its being influenced by the browsers, I'm guessing the only
revenue model being considered is the third party ad model, where a
client is told to fetch a resource and possibly execute code from a
third party server so the origin can get paid.

I don't know what the IETF's official policy is on DNS names versus IP
addresses.

Jeff