Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice

Eliot Lear <lear@cisco.com> Tue, 01 December 2020 15:05 UTC

Return-Path: <lear@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD8973A1349; Tue, 1 Dec 2020 07:05:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.601
X-Spam-Level:
X-Spam-Status: No, score=-9.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 11Mjc3JAbQlR; Tue, 1 Dec 2020 07:05:37 -0800 (PST)
Received: from aer-iport-1.cisco.com (aer-iport-1.cisco.com [173.38.203.51]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B0723A1347; Tue, 1 Dec 2020 07:05:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2307; q=dns/txt; s=iport; t=1606835136; x=1608044736; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=8Dbkb86Mtk1fh0OG0fYyvy9CzkclJI/J6KU9myImZLE=; b=TFN7pSrq5zLHaECxcVhE2mM0a6WISJRzgYDCrpe6FvtSP6zzMJ4Ny2ex R4QmzuvitTyC4krlvXrwlAr1hJBAH80ayNGOrPjarfDiFLZjT1hXhS3gn 4s5x9zKOXdoP0b/9LrP3ja0r11YovugL594+y6sN/0e+8DOaNJ8hBFAIx c=;
X-Files: signature.asc : 488
X-IPAS-Result: A0AZBADEWsZf/xbLJq1iDg8BAQEBCQESAQUFAYIPgx9WATIuhDyJBYghnDAEBwEBAQoDAQEYCwwEAQGESgKCFCY4EwIDAQEBAwIDAQEBAQUBAQECAQYEcYVhDIVyAQEBAQIBAQEhSwsFCwsOCiMHAgInMAYTgyYBgmYgD6wLdoEyhVeEZAoGgTiBU4wIggCBOByBV34+gl0BAYEpJ4MmM4IsBJM8iSecC4J6gx2BN5ZYAx+iHLBxg2oCBAYFAhWBbSOBVzMaCBsVOyoBgj4+EhkNji0XFIhOhQRBQAMwNwIGAQkBAQMJjSGCRAEB
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.78,384,1599523200"; d="asc'?scan'208";a="31547301"
Received: from aer-iport-nat.cisco.com (HELO aer-core-2.cisco.com) ([173.38.203.22]) by aer-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 01 Dec 2020 15:05:32 +0000
Received: from ams3-vpn-dhcp6574.cisco.com (ams3-vpn-dhcp6574.cisco.com [10.61.89.173]) by aer-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id 0B1F5Ss8021949 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 1 Dec 2020 15:05:30 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <36C74BF4-FF8A-4E79-B4C8-8A03BEE94FCE@cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_EE4DF436-5AA0-4F6F-92C4-1FE5E84B44C0"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
Date: Tue, 01 Dec 2020 16:05:28 +0100
In-Reply-To: <1606814941532.76373@cs.auckland.ac.nz>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Keith Moore <moore@network-heretics.com>, "last-call@ietf.org" <last-call@ietf.org>, "draft-ietf-tls-oldversions-deprecate@ietf.org" <draft-ietf-tls-oldversions-deprecate@ietf.org>, "tls-chairs@ietf.org" <tls-chairs@ietf.org>, "tls@ietf.org" <tls@ietf.org>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
References: <160496076356.8063.5138064792555453422@ietfa.amsl.com> <49d045a3-db46-3250-9587-c4680ba386ed@network-heretics.com> <b5314e17-645a-22ea-3ce9-78f208630ae1@cs.tcd.ie> <1606782600388.62069@cs.auckland.ac.nz> <0b72b2aa-73b6-1916-87be-d83e9d0ebd09@cs.tcd.ie> <1606814941532.76373@cs.auckland.ac.nz>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
X-Outbound-SMTP-Client: 10.61.89.173, ams3-vpn-dhcp6574.cisco.com
X-Outbound-Node: aer-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/nEwH6J-u6MFHC5liiUwBYrJiNgs>
Subject: Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2020 15:05:39 -0000

It is incredibly difficult to draw a line so precisely as to where the threat to a device begins and ends, given the wide range of deployment scenarios.  If a device can be at all critical (and even if it isn’t), then it should be upgraded or replaced.  Better that this be out there in its current form so that other organizations that specify TLS requirements can pick this document up without any wiggle room or ambiguity.  Also, we do not have a “Sometimes Deprecated” category, nor do I think we should start here.

Eliot


> On 1 Dec 2020, at 10:29, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
> 
> Stephen Farrell <stephen.farrell@cs.tcd.ie> writes:
> 
>> That said, if someone had words to suggest that might garner consensus, that
>> would be good.
> 
> I think all it needs is something along the lines of "This BCP applies to TLS
> as used on the public Internet [Not part of the text but meaning the area that
> the IETF creates standards for].  Since TLS has been adopted in a large number
> of areas outside of this, considerations for use in these areas are left to
> relevant standards bodies to define".
> 
> Peter.
> 
> 
> --
> last-call mailing list
> last-call@ietf.org
> https://www.ietf.org/mailman/listinfo/last-call