Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice

Ted Lemon <mellon@fugue.com> Wed, 02 December 2020 16:04 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 847013A146C for <tls@ietfa.amsl.com>; Wed, 2 Dec 2020 08:04:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, NO_DNS_FOR_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AeWEZ4NY8_sy for <tls@ietfa.amsl.com>; Wed, 2 Dec 2020 08:04:18 -0800 (PST)
Received: from mail-qk1-x72f.google.com (mail-qk1-x72f.google.com [IPv6:2607:f8b0:4864:20::72f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38F763A1779 for <tls@ietf.org>; Wed, 2 Dec 2020 08:03:04 -0800 (PST)
Received: by mail-qk1-x72f.google.com with SMTP id z188so1650686qke.9 for <tls@ietf.org>; Wed, 02 Dec 2020 08:03:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=ae1GcTD/ukv9G7lTYLkh5GHoc9TXGvaoLCLhrTyAgjc=; b=lCEI0VhI4Yor0mzg1cJwSVc9i5H8s4fag3a6A2lg5n7trJ8qMSI6KY5Oqx2NJ5yq+o rWYSZCSYf0mhSXGTLDNpiWw0It/pJblOqPHN6ICmBXqdXW/ZDNOc8/uF0LU0JwwIL1AG hBwT7SUDKp94YbJN0BHjl0FW/sIdGwXXB5XubweEysJzZas3pZaszQf3GzdbTLGpbHMt zNgM8yknCkbt3KQV4ycKJt7qIMELW/kLca1glG8hZxU+y1BphG6dnWHlH8hC9CySAFju b/q3mRjU0b66DUK+ruqEJRBt7xip5wurSk4xSNySfqYHgejXGF2XqDosK3mQwKi80Dow VupA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=ae1GcTD/ukv9G7lTYLkh5GHoc9TXGvaoLCLhrTyAgjc=; b=AF6VMWpk2BZXsShrT7I17dFdDJpi+4sit8A/ZXiNOVyrpFy1OWXO63MQBwGWw89ndy /pgDSQMKvPhHJ+4voHz3LApgZlWIaLetK6PQp9peJSHDaafhlFY5q+loR/9i0GjAZRtw DW3tDWfm5lewa7X0Q5bFZaFXMAvlSm6DsDOReeJrwmxG4qiiFBHvMP3N6UB0RT8fjB1H XWUIavRq8GprOiv52is3SawymuZehe8ZrgkeVzowwtHr9jcK/RSq4fAlGLw/IZl/Ly00 BHHV/rOueONQz9Upz+DDfWk9YI7cIlJZTij//mzBhE/NRgnej9VvzXZmPSlnhsuWTan3 jVSA==
X-Gm-Message-State: AOAM533pHeNODdqMR27pmOkfSFKmTP+mskE25bNqrQKad+BN/4VdxGPV 9idPlFZS76PvBsdiB4r2UyyXHw==
X-Google-Smtp-Source: ABdhPJyFNqRDxmFwMv26Nv5Cjs7ZXYu374kO75gg2OByCRRiHCZ4jqvaXb1dJaFbB8dx7VOZ8kOCRg==
X-Received: by 2002:a37:a481:: with SMTP id n123mr3367693qke.114.1606924983878; Wed, 02 Dec 2020 08:03:03 -0800 (PST)
Received: from mithrandir.lan (c-24-91-177-160.hsd1.nh.comcast.net. [24.91.177.160]) by smtp.gmail.com with ESMTPSA id i21sm2039508qtm.1.2020.12.02.08.03.02 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 02 Dec 2020 08:03:03 -0800 (PST)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <005A4B6B-1BAB-4AE6-95B1-182BCF4CA6D8@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_21CD3E6D-09C6-497A-8407-C44086E7BA7D"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.40.0.2.32\))
Date: Wed, 2 Dec 2020 11:03:02 -0500
In-Reply-To: <B70C09E7-3FB2-41A6-AFEC-2EC0EB00DA97@fugue.com>
Cc: Eliot Lear <lear=40cisco.com@dmarc.ietf.org>, Peter Gutmann <pgut001@cs.auckland.ac.nz>, "draft-ietf-tls-oldversions-deprecate@ietf.org" <draft-ietf-tls-oldversions-deprecate@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "tls-chairs@ietf.org" <tls-chairs@ietf.org>, "STARK, BARBARA H" <bs7652@att.com>, "tls@ietf.org" <tls@ietf.org>
To: "Ackermann, Michael" <MAckermann@bcbsm.com>
References: <160496076356.8063.5138064792555453422@ietfa.amsl.com> <49d045a3-db46-3250-9587-c4680ba386ed@network-heretics.com> <b5314e17-645a-22ea-3ce9-78f208630ae1@cs.tcd.ie> <1606782600388.62069@cs.auckland.ac.nz> <0b72b2aa-73b6-1916-87be-d83e9d0ebd09@cs.tcd.ie> <1606814941532.76373@cs.auckland.ac.nz> <36C74BF4-FF8A-4E79-B4C8-8A03BEE94FCE@cisco.com> <SN6PR02MB4512D55EC7F4EB00F5338631C3F40@SN6PR02MB4512.namprd02.prod.outlook.com> <1606905858825.10547@cs.auckland.ac.nz> <EEFAB41B-1307-4596-8A2E-11BF8C1A2330@cisco.com> <BYAPR14MB31763782200348F502A70DA4D7F30@BYAPR14MB3176.namprd14.prod.outlook.com> <B70C09E7-3FB2-41A6-AFEC-2EC0EB00DA97@fugue.com>
X-Mailer: Apple Mail (2.3654.40.0.2.32)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/lCspsJlhS6c0rbJIU8eOvKXDgfA>
Subject: Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2020 16:04:20 -0000

On Dec 2, 2020, at 11:00 AM, Ted Lemon <mellon@fugue.com> wrote:
> The situation right now is that it’s been known for a long time that RC4 and MD5 are not safe to use. Your vendors have known about this for a long time. If they do not have a roll-out plan for software that corrects the problem, you have chosen the wrong vendors. Look at your agreements with them. Are they honoring them? If not, you have recourse. If you didn’t contract with them to anticipate change, it’s time to go fix that.

Sorry, I was talking about the wrong document. But the point is the same. If you are using TLS 1.0 or TLS 1.1, your vendors should long since have offered you an upgrade path. If they haven’t, you chose the wrong vendors. Get to work on fixing that now, rather than complaining to us. A failure to plan on your part does not constitute an emergency on our part.