Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice

"Ackermann, Michael" <MAckermann@bcbsm.com> Wed, 02 December 2020 15:17 UTC

Return-Path: <mackermann@bcbsm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2E9C3A144A for <tls@ietfa.amsl.com>; Wed, 2 Dec 2020 07:17:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.434
X-Spam-Level:
X-Spam-Status: No, score=-1.434 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); domainkeys=pass (1024-bit key) header.from=MAckermann@bcbsm.com header.d=bcbsm.com; dkim=pass (1024-bit key) header.d=bcbsm.com header.b=bB/YMQpt; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=bcbsm.onmicrosoft.com header.b=btAAfcXy
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vYOsKcMqOGcK for <tls@ietfa.amsl.com>; Wed, 2 Dec 2020 07:17:30 -0800 (PST)
Received: from mx.z120.zixworks.com (bcbsm.zixworks.com [199.30.235.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF23B3A144F for <tls@ietf.org>; Wed, 2 Dec 2020 07:17:30 -0800 (PST)
Received: from 127.0.0.1 (ZixVPM [127.0.0.1]) by Outbound.z120.zixworks.com (Proprietary) with SMTP id 06A481C6888 for <tls@ietf.org>; Wed, 2 Dec 2020 08:58:55 -0600 (CST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ZIXVPM1670e2ded26; d=bcbsm.com; h=From:To:Subject:Date; b=pkH6htzFLEPsN/QbI0sxP5D5vx6k/Gh/baOcsUNilulT1e5yt+dj182p97EUnadv h+IEa7yPYxw6YZLGHRYvGli1t3rpA+/jpIpvZCEA6ymaV7764fjRD4wr1bP4YU mCge8DltGQM0f8lmqXLqsqwZlCgny4BB+Tz7KGZPkQuKU=;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bcbsm.com; s=ZIXVPM1670e2ded26; t=1606921135; bh=b2sYazAEkwyNRW7czOIHYrq79TYMc7T/qQX01lyVAyI=; h=From:To:Subject:Date; b=bB/YMQptdkBhKBnn9UajgBMvydibFJNTUhhga2FZlbPLy2V2TfzGRf7gPB7QETEoK vu6Dlh8ScRQ921tCF8GjfGUzQYtp26ze893855Q6wyzIfXM6gN2+517VgJaq267FNS ZOTTPTJmpA77/NbxQ+NmJ6P28/orBNfZ8ssynu1Y=
Received: from imsva2.bcbsm.com (inetmta04.bcbsm.com [12.107.172.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.z120.zixworks.com (Proprietary) with ESMTPS id 2124B1C3EAC; Wed, 2 Dec 2020 08:58:53 -0600 (CST)
Received: from imsva2.bcbsm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A3409FE06F; Wed, 2 Dec 2020 09:58:52 -0500 (EST)
Received: from imsva2.bcbsm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 56B4FFE055; Wed, 2 Dec 2020 09:58:52 -0500 (EST)
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (unknown [104.47.56.170]) by imsva2.bcbsm.com (Postfix) with ESMTPS; Wed, 2 Dec 2020 09:58:52 -0500 (EST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GoHlkMNSojB5Il6Fpc0n+d/1QfgOQDfpRSI0yUhY12IFmAP2dpPDFYO1bcVB0pHkUM9LFr66qfRAQQN4BasReZwJq4OFGupY3E48DRJ0BdMrNAv6GdEerxSr1xNTK/NGEH5iN8gzjYtBQLazjDnAbehBQHL1KjoQr7rStN4FVt8GlDP+RehqrCbAtdmwbDYYQX3oVW7PpimZKjNFCN7cqphw+qfC9E6+QkJv6O6RKGHiQOISMW5+Srrrov7cfc7AsQZmlAdFGxykDmYy14xvd1u51quys/yy9GPtBqp3T7ZaNep3Aq3cD02Sf5hyaxZE6YXKpvqgi/Um5zHktQzsbg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4132V0Imz4KJk9cNAF5oGzYt5mUY2bXGCW4CNvusJSQ=; b=Y6bMt2iFgGQ9ldPe0rzyCIACYu+QCgSaQcz9e84OKenhZcDfrd9/yafQ75KH9tB0FkzjHcYsPW3SDk0XmyzGBCSoQ3PQsikI269Xv7CTr8e79/hGkma4SU95jbjEOmJduL9Vzr0WfKWE0fZsNuoxXj1XpPbAdSNbDYRf6ChuNvB8Wbj2c9bW2FYVrjfioXTF6F4x0w0qPil4dIeI4Mg40lD7QCJMA/M657GvrUavwPEMAHvQWx1RCGAAxDYs8CxcoBPnlz5NNQu50y0gYj8oUU6uMZaxa/Ho2En5a8KJBZFMVl7PLIYtSJ5xCTLgDcHzPLGl2GeNRR3LQJ7j7rPyvQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bcbsm.com; dmarc=pass action=none header.from=bcbsm.com; dkim=pass header.d=bcbsm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bcbsm.onmicrosoft.com; s=selector2-bcbsm-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4132V0Imz4KJk9cNAF5oGzYt5mUY2bXGCW4CNvusJSQ=; b=btAAfcXy51XKbjcBBl2lb+aLWIMlQlAdqNIheZH0MpKpVAvwh8OuaKRVDVFXiMUjF4AON11BFu8VixaZJfmR7wVJ9pPpp/APszYJMW0AMZ1LZYo9/ilSpNQmBPZT2KfIWKeMpRXdwMLjLxL9grlxbFFIiRNScqmE5FtcnMUNfyM=
Received: from BYAPR14MB3176.namprd14.prod.outlook.com (2603:10b6:a03:dc::32) by SJ0PR14MB4522.namprd14.prod.outlook.com (2603:10b6:a03:2e2::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3632.17; Wed, 2 Dec 2020 14:58:49 +0000
Received: from BYAPR14MB3176.namprd14.prod.outlook.com ([fe80::1520:c83a:49d8:f79e]) by BYAPR14MB3176.namprd14.prod.outlook.com ([fe80::1520:c83a:49d8:f79e%4]) with mapi id 15.20.3611.025; Wed, 2 Dec 2020 14:58:49 +0000
From: "Ackermann, Michael" <MAckermann@bcbsm.com>
To: Eliot Lear <lear=40cisco.com@dmarc.ietf.org>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
CC: "draft-ietf-tls-oldversions-deprecate@ietf.org" <draft-ietf-tls-oldversions-deprecate@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "STARK, BARBARA H" <bs7652@att.com>, "tls@ietf.org" <tls@ietf.org>, "tls-chairs@ietf.org" <tls-chairs@ietf.org>
Thread-Topic: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
Thread-Index: AQHWx3wfv3qMkbrqc0yfLCitcBgXEanh+dWAgABeAQCAAAivgIABQK+AgAACzACAAEA48A==
Date: Wed, 2 Dec 2020 14:58:49 +0000
Message-ID: <BYAPR14MB31763782200348F502A70DA4D7F30@BYAPR14MB3176.namprd14.prod.outlook.com>
References: <160496076356.8063.5138064792555453422@ietfa.amsl.com> <49d045a3-db46-3250-9587-c4680ba386ed@network-heretics.com> <b5314e17-645a-22ea-3ce9-78f208630ae1@cs.tcd.ie> <1606782600388.62069@cs.auckland.ac.nz> <0b72b2aa-73b6-1916-87be-d83e9d0ebd09@cs.tcd.ie> <1606814941532.76373@cs.auckland.ac.nz> <36C74BF4-FF8A-4E79-B4C8-8A03BEE94FCE@cisco.com> <SN6PR02MB4512D55EC7F4EB00F5338631C3F40@SN6PR02MB4512.namprd02.prod.outlook.com> <1606905858825.10547@cs.auckland.ac.nz> <EEFAB41B-1307-4596-8A2E-11BF8C1A2330@cisco.com>
In-Reply-To: <EEFAB41B-1307-4596-8A2E-11BF8C1A2330@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=bcbsm.com;
x-originating-ip: [165.225.0.109]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 26fe19c4-8821-4fa0-4e1e-08d896d2c6c5
x-ms-traffictypediagnostic: SJ0PR14MB4522:
x-microsoft-antispam-prvs: <SJ0PR14MB4522CA754DF7BBFE0E7490EED7F30@SJ0PR14MB4522.namprd14.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 6kXvpIVKrayT1oQgXARFM8aEUfpD5V4EMo8JmjEUKYea0GrQ19/I+20omXSt9m+bMG4/Vlzj65TpAvmszB1JugxuxH1mGMfZnZYVIAXoGf8r9iKT9nz1WoefbEXKiriIgtbpHVvMj6QhRtMwYz5/QUB7JlE29br46sg+JI42TKJtTReJoDjHYAkL5Y2GOu8aV7O/td9vN2db4Zt0khHuEuDaV9BPpTGTQBCuVd4PSBEM93gzEFIYbJT69lUBEXtAVr3hLHeB8m3MvoSXEYWML1AUggAxk2fbf7tqOtx+a1sBCN/IT/0uuyGv9VxI1RZ/82J6zngkG2z5uoa5fb14Cw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR14MB3176.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(366004)(376002)(396003)(346002)(39850400004)(53546011)(186003)(4326008)(52536014)(64756008)(66556008)(66476007)(6506007)(66446008)(66946007)(55236004)(478600001)(2906002)(76116006)(9686003)(7696005)(55016002)(86362001)(71200400001)(83380400001)(110136005)(8936002)(5660300002)(26005)(8676002)(54906003)(316002)(33656002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?utf-8?B?TjJDcVZ4Rjk4NjkvK3V1TXZBUyswWU9Xc01OZXkycU5mVUxSd0lIdDk5cThH?= =?utf-8?B?UkM3UFAwVWNSeVVRNExLbngxWFJYTElFTmxLQTJna1JaREhWaGFlOHJhN0l0?= =?utf-8?B?U1NXanlJb05ib3hKU0Z5WTZLdzBvVmN0NG54K2dRVjBsOGZKMGxCR0NOMTRw?= =?utf-8?B?WDFDQmo1cUcvdThFNnRQcU14S1ROL0JpMStxdkRPQUo3QUw4NDVjbVFQRVkv?= =?utf-8?B?b2lGWklVMEJENm1kYnBDUk0xWTAwY3M0OVBOMTdaSTB3d2Nnb3VuVSsyclBk?= =?utf-8?B?V2oydUZxTDI2dTZScm92MVZDd2QxWTViKzZNM2YranNKcWM5VkZQR2hBWmo0?= =?utf-8?B?NDdrRitlMUU3a3Y2ZVJEaWFtRE54STFLSWZmc1lDdHp2dFo0aVcvbmVrNlZr?= =?utf-8?B?LytRRHdPc0Zudy9acUU0MUIzN2ZjQk9zOGlWcVJkRVMrNVU3ZGJPQmFQUTdC?= =?utf-8?B?dXdQcVNodkc2UVdTci9FcFd5Nmh2RE9Db3dQdWJWTzVTTSs4Q2pvS2M5bnVq?= =?utf-8?B?SzBtWE44SkFEN0F3a1IvZm0wbXp3cFcyUExhd1AxbEErSlF4SExNQnFtaWhY?= =?utf-8?B?MDFqNnk4OGs0cjRlZmNreTA5ZlRrajRqSVhJd0M2MnNTR0k3NEg2U0trNjJY?= =?utf-8?B?Nk8rRU42bTJ5d0FXa1RvQzdjcGkvcE9mTlFRYWVVVVVGZHJUck1kcHhQT2xs?= =?utf-8?B?WEtvTFMyWUdHUHlLM0tYLyttZW9zcUs1QThPbklDSHVKM2lnQ3dJQ0pqR21M?= =?utf-8?B?eStHSTBOZjF4ZTVXeUhPV01QVDFsRHVWeTlOdTVMYXVjbURpSFNidHVWRXl0?= =?utf-8?B?SFBYNXBmTExmKytBZjI2dCtxZVpaZkthcUpYeWo4QWVETEVVTlJDOE5uN0N3?= =?utf-8?B?ajYxams5eThqbHIyaXR5TzkvMXJGVE9NanNONnE2S2N5d2xTU1ZSZTNKQi9i?= =?utf-8?B?Qm5va1lBY1RVYkVicnNDNmVtWWNkR1B2ZE1QM0dFT0YxMi9KdE1OZWpOeTNy?= =?utf-8?B?MmdCSEh3WTYrajN2U1o2MmVsVjVCZStGc2Vibk8yRnE2SHhmTk51MjM1WnlZ?= =?utf-8?B?SGdhQVpMYXc4b0tib2RpeXozMTVyby9uR2FaNTFuZzFtRGp2Y2tld3JNM2x0?= =?utf-8?B?b2RKa0dmb3RaWG9sY3IyNWJIUXdIbVd6UzIxN3o0M0tLUWtBWnhzTGVhTk9z?= =?utf-8?B?WFlhWDFtMGhEMzhFWXpWVVpZNkJtM1h1aTdUSEFiQXFjRkNmQ1l5aTFtUjM4?= =?utf-8?B?b0FpRjQ1dTNQOElYMytYa3lKWEtCMVhGRGppVFFNN1dicnl5THA3QWZWbnRa?= =?utf-8?Q?I/DhvdFBsxpYM=3D?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: bcbsm.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR14MB3176.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 26fe19c4-8821-4fa0-4e1e-08d896d2c6c5
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Dec 2020 14:58:49.3364 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6f56d3fa-5682-4261-b169-bc0d615da17c
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Js+MYQrVAZb8gJX9mNnRIxSXzIHaFqjQtiLsBKkhB3przjzl/Ya9y4XUgMFSqnyoRzUDL3U4Xf9q9Uzm1FOfGg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR14MB4522
X-TM-AS-GCONF: 00
X-VPM-HOST: vmvpm01.z120.zixworks.com
X-VPM-GROUP-ID: ef2018a4-b14c-41b6-897e-32451c5c80f8
X-VPM-MSG-ID: bd65304c-56c0-48be-bd7c-8289d9434758
X-VPM-ENC-REGIME: Plaintext
X-VPM-IS-HYBRID: 0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/cu6rl_reOEuWVqLK7DOfpDvLd1M>
Subject: Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2020 15:17:33 -0000

As an Enterprise person I can say we are not well equipped to be aware of nor react "Nimbly" to changes such as this.  Wide scope and security related changes can require major changes to core Business systems.  This can mean significant time, effort and/or $$$. 
The biggest barrier is that this topic is not currently on the Planning or Budget radar at all, and usually takes 1-2 years (or more) to achieve either. 

On one side of such issues, I don't think IETF understands the above and on the other side Enterprises are unaware of developments at IETF and other SDO's.    Bridging that important gap is not unique to this topic. 

-----Original Message-----
From: TLS <tls-bounces@ietf.org> On Behalf Of Eliot Lear
Sent: Wednesday, December 2, 2020 5:54 AM
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: draft-ietf-tls-oldversions-deprecate@ietf.org; last-call@ietf.org; STARK, BARBARA H <bs7652@att.com>om>; tls@ietf.org; tls-chairs@ietf.org
Subject: Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice

[External email]


> On 2 Dec 2020, at 11:44, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
>
>
> It's actually the complete opposite, they will have every difficulty 
> in doing so.  You've got systems engineers whose job it is to keep 
> things running at all costs, or where the effort to replace/upgrade is 
> almost insurmountable, who now have to deal with pronouncements from 
> standards groups that insist they not keep things running.  I don't 
> know where you get this idea that this will cause "no difficulty" 
> from, it's a source of endless difficulty and frustration due to the 
> clash between "we can't replace or upgrade these systems at the 
> moment" and "there's some document that's just popped up that says we need to take them out of production and replace them”.


That is as it should be.  Let everyone understand the risks and make informed decisions.  This draft does an excellent job at laying out the vulnerabilities in TLS 1.0 and 1.1.  What it cannot do is adjudicate risk in every situation.  If someone has done so and decided that the risk is acceptable, very well.  They went in eyes wide open, and Stephen and friends helped.

Eliot






The information contained in this communication is highly confidential and is intended solely for the use of the individual(s) to whom this communication is directed. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information is prohibited. Please notify the sender, by electronic mail or telephone, of any unintended receipt and delete the original message without making any copies.
 
 Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are nonprofit corporations and independent licensees of the Blue Cross and Blue Shield Association.