Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)
Yoav Nir <ynir.ietf@gmail.com> Thu, 21 May 2015 22:59 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D3331A0382 for <tls@ietfa.amsl.com>; Thu, 21 May 2015 15:59:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e35kB0AETgrQ for <tls@ietfa.amsl.com>; Thu, 21 May 2015 15:59:22 -0700 (PDT)
Received: from mail-wi0-x235.google.com (mail-wi0-x235.google.com [IPv6:2a00:1450:400c:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE1CB1A1BF2 for <tls@ietf.org>; Thu, 21 May 2015 15:59:21 -0700 (PDT)
Received: by wicmc15 with SMTP id mc15so26177142wic.1 for <tls@ietf.org>; Thu, 21 May 2015 15:59:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=kSgGnEOzoWJXkhKVSHkCI6FY4sznldGbvNg7v0nWnes=; b=hDJYuqUgri4s6zE5Cn3UVuWs3QRpDYIpiosHkCxmbkDKU6FVxF/DtxBbxKTpBvQ61c T66x7ONJKyPDEP5Q3ZRt3CQP53WTdajKmJErWNy9RMbZXeIjiKtX1A5L4dZTG+aTrclL RbH/VdHCRj+3AO8pgcVs8n04EIGNhdJWtw/4gOav8SGyRujJ5sOpgB35Y/VlSeUgVkqK FbVyB33HK5Fbw2hBvcc+GA5m6GuFlbyDknIg3LlV6kAM7GyeWrlxP34OxQOsJsCaosgL 85Hu84n1iLR8GKJ/R1+XVGILGKHmt5AnSnQ/mQliYIlQE/ysSnFfy2+CXWH2IGgCLL9o eRng==
X-Received: by 10.180.109.6 with SMTP id ho6mr1814977wib.58.1432249160576; Thu, 21 May 2015 15:59:20 -0700 (PDT)
Received: from [192.168.1.17] ([46.120.13.132]) by mx.google.com with ESMTPSA id wv3sm408702wjc.0.2015.05.21.15.59.19 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 21 May 2015 15:59:19 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <CACsn0ck84SMT+Eqgdz7SBFQmaP0tFZQpX03Q0WyJtTgh5MhpkQ@mail.gmail.com>
Date: Fri, 22 May 2015 01:59:17 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <943DD5B5-DD98-4AB5-80AF-EB56D2EABC86@gmail.com>
References: <201505211210.43060.davemgarrett@gmail.com> <BLU177-W43B228C6C40A3EFFF6D0AC3C10@phx.gbl> <08521CEE-F00B-40B5-9A91-D290ED56EE67@gmail.com> <201505211816.42606.davemgarrett@gmail.com> <9ED694CA-2271-42DD-B094-55B560B9C76B@gmail.com> <CACsn0ck84SMT+Eqgdz7SBFQmaP0tFZQpX03Q0WyJtTgh5MhpkQ@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/km--5Rbr55JtdxElOdQydpTeKkg>
Cc: "maray@microsoft.com" <maray@microsoft.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 22:59:23 -0000
> On May 22, 2015, at 1:41 AM, Watson Ladd <watsonbladd@gmail.com> wrote: > > On Thu, May 21, 2015 at 6:34 PM, Yoav Nir <ynir.ietf@gmail.com> wrote: >> >>> On May 22, 2015, at 1:16 AM, Dave Garrett <davemgarrett@gmail.com> wrote: >>> >>> On Thursday, May 21, 2015 05:50:26 pm Yoav Nir wrote: >>>> According to netmarketshare.com Windows XP is still 16% of desktops/laptops (as measured by web traffic). Add some older mac OS X versions and you reach 17%. Even mobile has some older versions. What this is proposing is to require servers to cut all of those off as a pre-requisite to supporting TLS 1.3. >>> >>> Windows XP & old Mac OS X users can install Mozilla Firefox or Google Chrome (or one of the browsers based on one). It's just the built in browser that won't work because the vendor dropped support. >> >> And you are proposing that we force them to do this? Worse, you are proposing that we deputize all server operators in forcing them to replace their browser? > > If not now, then when? When those machines rust away, or when their owners decide to buy shiny new ones. Ultimately, it’s up to the server administrators to decide when to drop support for something. I don’t see where it’s our job to require them to do so as a pre-condition to deploying TLS 1.3. Server implementers will ignore this even if we make it a MUST.
- [TLS] prohibit <1.2 support on 1.3+ servers (but … Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Loganaden Velvindron
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Thijs van Dijk
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Jeffrey Walton
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Kurt Roeckx
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yuhong Bao
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Watson Ladd
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Rex
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Thomson
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Aaron Zauner
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Tony Arcieri
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Thomson
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Aaron Zauner
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Thomson
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Tony Arcieri
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Xiaoyin Liu
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Rex
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Hubert Kario
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Peter Gutmann
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Xiaoyin Liu
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Salz, Rich
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Salz, Rich
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Ronald del Rosario
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Dave Garrett
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Geoffrey Keating
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Tony Arcieri
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Jeffrey Walton
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Bill Frantz
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Peter Gutmann
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Geoff Keating
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Jeffrey Walton
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Florian Weimer
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Yuhong Bao
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Martin Thomson
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Salz, Rich