Re: [TLS] Products supporting TLS 1.0 & some other high-level questions

"Carl S. Gutekunst" <csg@alameth.org> Mon, 06 October 2014 05:33 UTC

Return-Path: <csg@alameth.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73B271A1B34 for <tls@ietfa.amsl.com>; Sun, 5 Oct 2014 22:33:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.274
X-Spam-Level:
X-Spam-Status: No, score=-1.274 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.786, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_RHS_DOB=1.514] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9zEgoudnl8vs for <tls@ietfa.amsl.com>; Sun, 5 Oct 2014 22:33:34 -0700 (PDT)
Received: from articuno.alameth.org (articuno.alameth.org [IPv6:2600:3c01::f03c:91ff:fe70:755c]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E97E1A1B33 for <tls@ietf.org>; Sun, 5 Oct 2014 22:33:34 -0700 (PDT)
Received: from [192.168.147.8] (76-191-206-73.dsl.dynamic.sonic.net [76.191.206.73]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by articuno.alameth.org (Postfix) with ESMTPS id 561868536; Mon, 6 Oct 2014 05:39:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=alameth.org; s=n01; t=1412573951; bh=MpGAIqsGm8a/mG0CMTS0VEgTrKkhfZJo9ahViiirahI=; h=Date:From:To:Subject:References:In-Reply-To; b=QQFjKr5Cn098oL98Jg4vQXFzD2EZq+0k6i8tcx6hCBTU2QWlgXNyLo0OIgXVZ5l2i HN91UT+eWZGHV46dJ62drpx080qNFp3VvAX/mpJGVxWAgexXB7qLzBlTjJDQvwUYH9 HKH00wc3kOEKO5Dis1M/PjK4ExDQxWStprhD40+g=
Message-ID: <543229AD.7070401@alameth.org>
Date: Sun, 05 Oct 2014 22:33:33 -0700
From: "Carl S. Gutekunst" <csg@alameth.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2
MIME-Version: 1.0
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, "<tls@ietf.org>" <tls@ietf.org>
References: <9A043F3CF02CD34C8E74AC1594475C739B9C228B@uxcn10-tdc05.UoA.auckland.ac.nz>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C739B9C228B@uxcn10-tdc05.UoA.auckland.ac.nz>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/jjkIaUQ9CP5ArFHoVf08zRFMtl4
Subject: Re: [TLS] Products supporting TLS 1.0 & some other high-level questions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Oct 2014 05:33:35 -0000

On 10/05/2014 10:28 PM, Peter Gutmann wrote:
> Eric Rescorla <ekr@rtfm.com> writes:
>> On Sun, Oct 5, 2014 at 7:22 PM, Watson Ladd <watsonbladd@gmail.com> wrote:
>>> Is the prefered path
>>> -Adoption of TLS 1.3
>>> -Adoption of TLS 1.2+session_hash fix
>>> -Indefinite support for TLS 1.0 plus multiple, not widely deployed fixes.
>> As a practical matter, we're likely to get at least the first two and
>> probably all three.
> You forgot one important word: eventually.  TLS 1.1 + add-ons we've got now.
> TLS 1.2 + session hash fix is still a work in progress after six years (eight
> if you take it back to the draft versions, which were mostly implementable
> even then).  TLS 1.3, which should really be called TLS 2.0 because there are
> so many fundamental changes, could take a decade or more....

And -- I hate repeating myself, but it seemed germane to this thread -- 
I'm still regularly having to deal with SBS 2003 servers whose only 
"strong" ciphers are RC4 and a non-functional implementation of 3DES.

<csg>