[TLS] Re: Adoption call for TLS 1.2 Update for Long-term Support

Andrew Campling <andrew.campling@419.consulting> Fri, 22 November 2024 14:47 UTC

Return-Path: <andrew.campling@419.consulting>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 836BAC169431 for <tls@ietfa.amsl.com>; Fri, 22 Nov 2024 06:47:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=netorgft5189650.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rdf5mmJHUEJj for <tls@ietfa.amsl.com>; Fri, 22 Nov 2024 06:47:54 -0800 (PST)
Received: from LO0P265CU003.outbound.protection.outlook.com (mail-uksouthazon11022140.outbound.protection.outlook.com [52.101.96.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABECDC151520 for <tls@ietf.org>; Fri, 22 Nov 2024 06:47:54 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=UIO50rr/rL1mV/r62zbtp1tnZyBp7D9TsO+LZQpXKFmZJ4AuYCsSwev4+Q59mg+IveaMy7MHJGrVfM9ONNFgvKs7+WH6khmLozMvNylsgTllFF0FTwoOUoZL1pebgmpxT5MhzD9PI2s8F7n2dx3wJLLPAA9NB2bDxAGKZ97eoJVVV9RPmlX6bLLQJVzUVjKm3anWjW+V+u3hvbiIzcS7kWclbjFmX7ekDe1ZUKU/48KHMJxMOZubPWWewjP2oudm3/BjAKOS0DiMbVpz6vQS+0Kl5Ebas5PCNXZzDNnxRYdeGOFmWoifCGgSfrin/2cshqlVrbmin8I4OFc+5IPu4g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3qvhvW0/yZUMJ6v8koicJKGLHfCd8t8FVqeW38cLYe8=; b=d6VNxnfqLhhmytWJSfl3HHSSdZZWucMjM/s1G46xmqHf8kzy0IXrpRdD58EFKKfRnI7F3WQ1WSUKSamiHGbch3Qgfpk0RIuVStuexhxnWHh+fKNEWA+0J6pZ8qdcCzZaOKnRtH+zmfMtbxIfS4XE6LUCLGo6iamwP/zrkQ8DZWitaAAhdk0Rq41eLJaZpNZv/6uxOGyUmXyqQpGpNXJrneKEYKMjHiDm9fMUX/xLgJpubpIbU5DhNAvR0Q2J3iL0AzJqjfpAYg1YZ08A7ClHN5EXZ1l8AGHnFspBfcek8sBgBBqMQRTT75p8wJ/MOlZNPeinEaRqbnxHv8zXiMun6Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=419.consulting; dmarc=pass action=none header.from=419.consulting; dkim=pass header.d=419.consulting; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=NETORGFT5189650.onmicrosoft.com; s=selector1-NETORGFT5189650-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3qvhvW0/yZUMJ6v8koicJKGLHfCd8t8FVqeW38cLYe8=; b=NnLX3R9wED77D3qlV0rFWuGyKG5aTi5e6RYcHgMIsmCo1q8urvg2gsUwDy8sm0ySb/Uy4JYYSgJbQ52O6cnacChFjnRXw+7ZO7WtEYrYBiQ7AFpw3xMkJOFJSNMIotv/JC3heRYisUw3cTRWh3tD9/tPG0ccYBMfqGR5+X1bn9E=
Received: from LO2P265MB5160.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:253::13) by LO4P265MB7062.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:34c::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8158.27; Fri, 22 Nov 2024 14:47:51 +0000
Received: from LO2P265MB5160.GBRP265.PROD.OUTLOOK.COM ([fe80::aa2:215:563:824c]) by LO2P265MB5160.GBRP265.PROD.OUTLOOK.COM ([fe80::aa2:215:563:824c%6]) with mapi id 15.20.8182.018; Fri, 22 Nov 2024 14:47:51 +0000
From: Andrew Campling <andrew.campling@419.consulting>
To: Yaron Sheffer <yaronf.ietf@gmail.com>, Peter Gutmann <pgut001@cs.auckland.ac.nz>, "Salz, Rich" <rsalz@akamai.com>, Sean Turner <sean@sn3rd.com>, TLS List <tls@ietf.org>
Thread-Topic: [TLS] Re: Adoption call for TLS 1.2 Update for Long-term Support
Thread-Index: AQHbO3F1/EPy4KodgE294dFXeYuzC7LAhS2AgAKQb4CAADrOgIAADjhA
Date: Fri, 22 Nov 2024 14:47:51 +0000
Message-ID: <LO2P265MB5160EA88E5389CDE7036F465C2232@LO2P265MB5160.GBRP265.PROD.OUTLOOK.COM>
References: <278163DF-0CB8-472F-84CB-0B8236FEC7C1@sn3rd.com> <231D5F24-E1AE-4F7C-9860-F6B0FF79D6FF@akamai.com>,<CWXP265MB5153A14B88F7E5CC94E9BF9AC2212@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <67DD955A-3D13-E04F-9398-F5B37786F79A@hxcore.ol>,<ME0P300MB0713FDE4AAA6BB169D676391EE232@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <1A650921-0180-864F-A50B-E385FAC59653@hxcore.ol>
In-Reply-To: <1A650921-0180-864F-A50B-E385FAC59653@hxcore.ol>
Accept-Language: en-US, en-GB
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=419.consulting;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LO2P265MB5160:EE_|LO4P265MB7062:EE_
x-ms-office365-filtering-correlation-id: 4afa8861-1e35-4179-4c8d-08dd0b04a3e9
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|366016|1800799024|8096899003|7053199007|38070700018;
x-microsoft-antispam-message-info: h/RKzVgo/+apUTZuhe9/m0xZpscO+//DtM3K0ki04r6s2Fjfo8DQVX6VbSpkWqmY3TATjtbp46RfwXd/6EW7KONfFkcFY9+2gJs1WqiWQwpeLdtus9hltdFskLUIzhfYOdbLsxK62bdBr8Ws/aBD/P85O7iZpmB0lrXalRZG5aAgsOV+MDfDhqRNTgG59jw6akTPoUKDNH8Z1LSAKoPET51qw6/JWAWBFbFoxdF8PotW+Er6OiYmQe2KO3iCbxfXyshJySUpzdZ5qtp/gVpU3+pXQubU0cc3jGsLc+qjGTb6zqFm3dOQhCUe5b4VMQUPJeVoW3/ciKNYi+2uI0oGjDjDfXfA35/R4KygBtvfwKn0ZcLkO0KwSpLgOHdjYqnlfvOqsjx5qFHoYUH/vX4d1leRIyo61YqL67pcmnQrd+Hs6ZaOeyJ2/z5BN197ZsQ3OTnMymhx/kID2vQUmAe44+BWQXeWv8QNHiyQkmErWx3rCVi1Z95MD0KEULvtRAxrZYPTogfd74GJzd2PGjj2/RjWm0ccjaBq1J6nWjpFShouF74L21vtZC1vGUfS1QVL9GGFXR6xEV117l4UuhqQZw1o/ZqORAL5QSK0QKhiNKZpMp30GNTz3mFCcYZBrNIaZB5yMcE+5qXvTZNPRR5IcAduHa/ImhTGYJ5B73q8KdYrL9vLKfKguI77SYseX/rwL41aM1/1g3DSQ3esvtX9BgvwGv5oN8SNvCz5M1O4X8+kWKbkgIjNKrkTiyiNAQ4zch6DXeBJBeZrsyoKRdrnUUnKsztzxLcNqnmPs3lJYppP0QJw17CvnXwJXxmLYjZElcrz7CHSFEt9JZdmQ1krN8Td5MA3Nq+VNY3HFMDvHGx5eGL3VufhUUAu+V/08qRpzQQCDKkiQUmXoOKHe6dkVVVi/EBYeqsls6m+PVkn1oOAuyZgkudx9RE5ZpKqetqvR0t6+wLDP6JXVNCe2kfoCxdmpVv+Jll//LiegM3A0/FZ8Wkqc7/dMt2SdFBAt1v0ON462Dv2Zjb0gnHvnglca2sYpK69gPlYIYecQPz/i12wXRniRoROVBaZl6BoWDZWdFrcPoUyThyWvwEviJDsaUANTH3d1hAzwOfuHs5nWv4oqTGtlzYptJLTumzIUg7BRQJN5yVcAXCEGGPsM/Ka49axeKLbJFcCphKlF7eSKZcVWy8XkNOcnLNQdhh2hCg/y6h71ucesIWwMAzRGmcKvk0HtlDKkrp9q0r9RrLkBWdKxHvShEWDXG7DfR3R3yOl127kjiIIlMv9zaWOpxbrl6dKvSK7IGc0WHHrc9WcckpEw3krjRsQbgxFaBB4ssKdQJoIzLfouWf5RAnGdSshh72oy0QT8wF84y6zsfEfSAA=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:LO2P265MB5160.GBRP265.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024)(8096899003)(7053199007)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: yOZIlU9b6KMHSKuE/GYEHiymSNDh2roJQgQZ2Y7UtraFzUGNGdwDTghvbsXB3C51+3djyOVN13G9g8HZCrjtgCfguBduEiTkORT5f5ZJEqhavbsdVTcjXhFwntZUUjHydSjgsnrxOLCrhMMpvJTjVbYiw4/Hhbd03r7nni8v/3j8ZQFSUBr8bHJHPighxHPxozurf8NKpMOTU52e9KIpWR8VDIoUAUhns4krXMo2qWdyaCX0FOVMZUWqlmJv2qqROyTl+PQN26TYd1FW6cec3daaO23Rdezb4bpRdHQio3XP11Cpbq8XjdFunGnhyceaY5XoNHJYgQEyLCBY14WDpohDKwxh9TEE7gsrD0WEXu3JSX+3LEVTpaeP111mmA0CQd74Fps67k6hllJmhz0CtbwJB5Rq1KBTwhgtALmQLOagoXXj/FfJl9tviZ/Loazxl/Pp7eOClXaGQ8irOtlnNFOsKwkpVLY0AsmgMKXEEsPzqgB0lgMDEFvUfY7bNKhuQ5oWIaka8Xmi7Hd79VjYeWZnOteXGntyK4N+5X0eJZdfZhihndEbAlsVzDAmA4KKVvnS4HPZHpvLv2UF3uO11NkContzicvdES0pKJg2WaZykAH+2KSQYqHXgkI1f9h9oS34ihJl1qb/DzVHmKPLZjyNdnjUxIO2oy41+5rZF5lI8apfwzEbAcnaxCk0s+IUUYGtluUaxGltqRY9opcdHY2iqd6fto3MjZuwjOgnV7L/mip1wMx+yBMAnVen9IhJrgZACYI8p5gBUNj+p4mn0A9xUsGhE5C4CdIKsUjj9/WCOP468mBtwuEeSZ4DAZTnxZSmSXVgySaQlBICJQA3HZQeOjPdvsL88p/9f6xp6tXCWOGxf7nuJN7y7CYmEEZ+FCf7kyTWCilc1EJ98H04pxsEwWzdi1ZNFVDmx+fOngnbQqteOvUUd/AdDy+1VZ2cDA5kMgz/ujx+1LV+IRmt9Zzd8F7HDy5tO5a4kSku4EPvGwsG9XEIaJyTaV77xu4vmxwVdTZlM7bC3q5aSOyGLkinBzMTmunAPaZUEOKkDQxX6jNl9Jc9t25vhsoVLUrI/5B+H6gDh5MH1caturl2kxD/quQZ1Ka05oVN1m/g9zt+pjBKEGg7NNaOD3ecqzB43QdpvpvKJMFzSgQmzGOd/JoCbNe9h83p+dhLfDaw1rx71swOcud79vpu7SyssoJyNv0yM/Zewk4vuQDPkCqEbWuNtHl4Hv07UwQm5bJWyttLo0Hjh1EebQaGL56OKA+UUIhd3DIbTUJ3EHTHzRN4AHx5c49AxVAUcfgNiaAg2mmML/uADMXkmgURZUmsNdtveuGDCoUgzenT/CE8pEaVgEk7O8FqLd+yh+fFe+b3KL2JeFLXiKVVx+HA0bfRIqLo1V5NKAvv4nWScoa6HSN1pNSMEtgioPSTSCZCg1fo7zOBunNSPg93F9snnxIYwqNm63Pp+UyskYP5184WxtWo3aTefmfjNJZOQ9TRXJOoY7v792IHVNxdU6UmyViewmTfSkIdj+rSCNU9IWKOw+tOPWBvFadoGkdMugPOFxpbGABhfWbzjPx8A60tlUFq6efaqiz8cgMpUxilHh0LIBIQLw==
Content-Type: multipart/alternative; boundary="_000_LO2P265MB5160EA88E5389CDE7036F465C2232LO2P265MB5160GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: 419.consulting
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LO2P265MB5160.GBRP265.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 4afa8861-1e35-4179-4c8d-08dd0b04a3e9
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Nov 2024 14:47:51.4125 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9c2ced3e-7522-4755-87dc-f983abc66ec3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: fRXPOd08hGZYWchevyQcP/Y5779nvyyZFdSOY9kjuGZf4oZJm3XLiI3klLOzt9lcaLdswL0CBN0B4GhJ9yE1E25tRSXyFFymWwOdlCFDaW8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO4P265MB7062
Message-ID-Hash: SR4NQQNVEH6QYO6IQGIY3HQ7EBGSLWB4
X-Message-ID-Hash: SR4NQQNVEH6QYO6IQGIY3HQ7EBGSLWB4
X-MailFrom: andrew.campling@419.consulting
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Adoption call for TLS 1.2 Update for Long-term Support
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jqMLRGSOrtSFqDee3rKRdhF5QpM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On 22/11/2024, 13:37, Yaron Sheffer yaronf.ietf@gmail.com<mailto:yaronf.ietf@gmail.com> wrote:
> My point was much broader though: the IETF is sending deployers a bunch
> of mixed messages, and this is on us as a community.
>
> RFC 9325 basically tells them: we prefer that you switch to TLS 1.3, but if
> you absolutely cannot do that, here’s how you can configure the existing
> TLS 1.2 and be secure (as of the time of publication).
>
> TLS-LTS sends a whole different message of course.
>
> And then the working group keeps nibbling at TLS 1.2 with documents like
> draft-ietf-tls-deprecate-obsolete-kex and the earlier “deprecating”
> documents. The KEX document does mention RFC 9325 at one point but
> does not say explicitly which of its requirements are new, making it hard
> for implementers to navigate our recommendations.


If the consensus view of the working group is that the existing communications have resulted in mixed messages and some confusion, the adoption of TLS LTS could provide a useful vehicle to address that whilst also dealing with the various technical points that Peter has already identified in his draft.  By expanding the introduction plus sections 3.7  and 4 (or by adding a new section), it should be possible to communicate clearly to implementers and others the relative positions of TLS 1.2, TLS-LTS and TLS 1.3 with reference RFC 9325 and any other relevant documents etc.

Andrew