Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)

Yoav Nir <ynir.ietf@gmail.com> Thu, 21 May 2015 22:59 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D3331A0382 for <tls@ietfa.amsl.com>; Thu, 21 May 2015 15:59:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e35kB0AETgrQ for <tls@ietfa.amsl.com>; Thu, 21 May 2015 15:59:22 -0700 (PDT)
Received: from mail-wi0-x235.google.com (mail-wi0-x235.google.com [IPv6:2a00:1450:400c:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE1CB1A1BF2 for <tls@ietf.org>; Thu, 21 May 2015 15:59:21 -0700 (PDT)
Received: by wicmc15 with SMTP id mc15so26177142wic.1 for <tls@ietf.org>; Thu, 21 May 2015 15:59:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=kSgGnEOzoWJXkhKVSHkCI6FY4sznldGbvNg7v0nWnes=; b=hDJYuqUgri4s6zE5Cn3UVuWs3QRpDYIpiosHkCxmbkDKU6FVxF/DtxBbxKTpBvQ61c T66x7ONJKyPDEP5Q3ZRt3CQP53WTdajKmJErWNy9RMbZXeIjiKtX1A5L4dZTG+aTrclL RbH/VdHCRj+3AO8pgcVs8n04EIGNhdJWtw/4gOav8SGyRujJ5sOpgB35Y/VlSeUgVkqK FbVyB33HK5Fbw2hBvcc+GA5m6GuFlbyDknIg3LlV6kAM7GyeWrlxP34OxQOsJsCaosgL 85Hu84n1iLR8GKJ/R1+XVGILGKHmt5AnSnQ/mQliYIlQE/ysSnFfy2+CXWH2IGgCLL9o eRng==
X-Received: by 10.180.109.6 with SMTP id ho6mr1814977wib.58.1432249160576; Thu, 21 May 2015 15:59:20 -0700 (PDT)
Received: from [192.168.1.17] ([46.120.13.132]) by mx.google.com with ESMTPSA id wv3sm408702wjc.0.2015.05.21.15.59.19 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 21 May 2015 15:59:19 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <CACsn0ck84SMT+Eqgdz7SBFQmaP0tFZQpX03Q0WyJtTgh5MhpkQ@mail.gmail.com>
Date: Fri, 22 May 2015 01:59:17 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <943DD5B5-DD98-4AB5-80AF-EB56D2EABC86@gmail.com>
References: <201505211210.43060.davemgarrett@gmail.com> <BLU177-W43B228C6C40A3EFFF6D0AC3C10@phx.gbl> <08521CEE-F00B-40B5-9A91-D290ED56EE67@gmail.com> <201505211816.42606.davemgarrett@gmail.com> <9ED694CA-2271-42DD-B094-55B560B9C76B@gmail.com> <CACsn0ck84SMT+Eqgdz7SBFQmaP0tFZQpX03Q0WyJtTgh5MhpkQ@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/km--5Rbr55JtdxElOdQydpTeKkg>
Cc: "maray@microsoft.com" <maray@microsoft.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 22:59:23 -0000

> On May 22, 2015, at 1:41 AM, Watson Ladd <watsonbladd@gmail.com>; wrote:
> 
> On Thu, May 21, 2015 at 6:34 PM, Yoav Nir <ynir.ietf@gmail.com>; wrote:
>> 
>>> On May 22, 2015, at 1:16 AM, Dave Garrett <davemgarrett@gmail.com>; wrote:
>>> 
>>> On Thursday, May 21, 2015 05:50:26 pm Yoav Nir wrote:
>>>> According to netmarketshare.com Windows XP is still 16% of desktops/laptops (as measured by web traffic). Add some older mac OS X versions and you reach 17%. Even mobile has some older versions. What this is proposing is to require servers to cut all of those off as a pre-requisite to supporting TLS 1.3.
>>> 
>>> Windows XP & old Mac OS X users can install Mozilla Firefox or Google Chrome (or one of the browsers based on one). It's just the built in browser that won't work because the vendor dropped support.
>> 
>> And you are proposing that we force them to do this? Worse, you are proposing that we deputize all server operators in forcing them to replace their browser?
> 
> If not now, then when?

When those machines rust away, or when their owners decide to buy shiny new ones.

Ultimately, it’s up to the server administrators to decide when to drop support for something. I don’t see where it’s our job to require them to do so as a pre-condition to deploying TLS 1.3. Server implementers will ignore this even if we make it a MUST.