Re: [TLS] TLS1.2 vs TLS1.0
Paul Duffy <paduffy@cisco.com> Mon, 20 May 2013 21:43 UTC
Return-Path: <paduffy@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D13221F9698 for <tls@ietfa.amsl.com>; Mon, 20 May 2013 14:43:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2T3hy4uBG8kC for <tls@ietfa.amsl.com>; Mon, 20 May 2013 14:43:46 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) by ietfa.amsl.com (Postfix) with ESMTP id CCCCE21F9699 for <tls@ietf.org>; Mon, 20 May 2013 14:43:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1683; q=dns/txt; s=iport; t=1369086226; x=1370295826; h=message-id:date:from:reply-to:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=eIwvMwsmTv7RhKNA6+ZToujsVNxkgXwZlbsdMEkO2ic=; b=DYE3FHLw15cIlkOz0asRdXbg1b8Fe3RjFpy/A17jG3U+vuZ/ShRVyd3d FPtXwUUCNnndnKUyzny06Jzr6a8McQlYyucqpf1lEf2GE6l/UyD4uTx47 Ml9jMEzbPMz8Fb0oKejaOyGZjJ+X21+27nefNg0+IHBGulvivW3vJ/zau I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AuAFAAOYmlGtJV2d/2dsb2JhbABagwgwwU2BBBZ0gh8BAQEEAQEBNTYKARALGAkWDwkDAgECARUwBg0BBQIBAYgJDLxDjyEHg1QDlziGHosigysg
X-IronPort-AV: E=Sophos;i="4.87,709,1363132800"; d="scan'208";a="212820203"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-6.cisco.com with ESMTP; 20 May 2013 21:43:45 +0000
Received: from [10.86.244.127] ([10.86.244.127]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id r4KLhi8t015361; Mon, 20 May 2013 21:43:44 GMT
Message-ID: <519A9910.1060001@cisco.com>
Date: Mon, 20 May 2013 17:43:44 -0400
From: Paul Duffy <paduffy@cisco.com>
Organization: Cisco Systems
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: Ulrich Herberg <ulrich@herberg.name>
References: <CAK=bVC8EZCCpG4+kzYUk+i5a_=Nh4AEGkuFJEC45cBSLLdnoTg@mail.gmail.com>
In-Reply-To: <CAK=bVC8EZCCpG4+kzYUk+i5a_=Nh4AEGkuFJEC45cBSLLdnoTg@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] TLS1.2 vs TLS1.0
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: paduffy@cisco.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 May 2013 21:43:50 -0000
Hi Ulrich IMO mandate TLS 1.2 (as SEP2 did). For all of the reasons you mentioned below. With OpenADR, we are talking about an app that impacts the electric grid. Cheers On 5/20/2013 4:47 PM, Ulrich Herberg wrote: > Hi, > > I have not followed this WG, so please forgive me if a similar > question has already been discussed. > > I am participating in another SDO on a standard for automated Demand > Response, called OpenADR (www.openadr.org), an application for the > smart grid. The application is basically a web service, exchanging XML > over HTTP over public networks, and using TLS (with RSA and ECDSA / > SHA1 ciphers for TLS 1.0 and SHA2 for TLS1.2). Currently, the draft > allows for TLS1.0 and 1.1, but recommends using 1.2 (and requires > vendors to provide a migration plan in case TLS1.0 is obsoleted) . > TLS1.0 and 1.1 RFCs have been obsoleted by the IETF; but I am not sure > about the best current practice. Is it absolutely discouraged to use > them? The argument in the OpenADR alliance is that many libraries and > programming languages do not support TLS1.2, so they recommend to > start the handshake with 1.2 and then downgrade - if required - to > 1.0. I read that NIST disallows SHA1 after 2013; which would also > affect TLS1.0, which does not support SHA2. > > What would be your recommendation in this case? Mandate TLS1.2 and > disallow TLS1.0? Or just strongly recommend ("SHOULD") to use TLS1.2 > and SHA2 ciphers, and otherwise to use TLS1.0? > > Best regards > Ulrich > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- Re: [TLS] TLS1.2 vs TLS1.0 Paul Duffy
- [TLS] TLS1.2 vs TLS1.0 Ulrich Herberg
- Re: [TLS] TLS1.2 vs TLS1.0 Robert Cragie
- Re: [TLS] TLS1.2 vs TLS1.0 Nikos Mavrogiannopoulos
- Re: [TLS] TLS1.2 vs TLS1.0 Hanno Böck
- Re: [TLS] TLS1.2 vs TLS1.0 David McGrew (mcgrew)
- Re: [TLS] TLS1.2 vs TLS1.0 Martin Rex
- Re: [TLS] TLS1.2 vs TLS1.0 Paterson, Kenny
- Re: [TLS] TLS1.2 vs TLS1.0 Martin Rex
- Re: [TLS] TLS1.2 vs TLS1.0 Ulrich Herberg
- Re: [TLS] TLS1.2 vs TLS1.0 Xiaoyong Wu
- Re: [TLS] TLS1.2 vs TLS1.0 Eric Rescorla
- Re: [TLS] TLS1.2 vs TLS1.0 Ulrich Herberg
- Re: [TLS] TLS1.2 vs TLS1.0 Ulrich Herberg
- Re: [TLS] TLS1.2 vs TLS1.0 Geoffrey Keating
- Re: [TLS] TLS1.2 vs TLS1.0 Martin Rex
- Re: [TLS] TLS1.2 vs TLS1.0 Martin Rex
- Re: [TLS] TLS1.2 vs TLS1.0 Martin Rex
- Re: [TLS] TLS1.2 vs TLS1.0 Eric Rescorla
- Re: [TLS] TLS1.2 vs TLS1.0 Kemp, David P.
- Re: [TLS] TLS1.2 vs TLS1.0 Peter Gutmann
- Re: [TLS] TLS1.2 vs TLS1.0 Simon Josefsson