[TLS] Re: Adoption call for TLS 1.2 Update for Long-term Support

Peter Gutmann <pgut001@cs.auckland.ac.nz> Fri, 22 November 2024 10:07 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AC46C180B7F for <tls@ietfa.amsl.com>; Fri, 22 Nov 2024 02:07:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.006
X-Spam-Level:
X-Spam-Status: No, score=-2.006 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.auckland.ac.nz
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s1XqJbye3P9G for <tls@ietfa.amsl.com>; Fri, 22 Nov 2024 02:06:55 -0800 (PST)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (mail-sy4aus01on2166.outbound.protection.outlook.com [40.107.107.166]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9C98C151527 for <tls@ietf.org>; Fri, 22 Nov 2024 02:06:55 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=EpGmZlnf2lHKfOm4jf8jxrNBTH7pyJuNvmMFS6GbrmJpuuxCNsQ9P1TQ1EMpB8ec0QoVX8ZUM1Z95ZEcrx0Ohn/RRcWUnN2J2RxuV7ZiAMHH0BrxD+bUJoP8IFi2ccSRkely1ZDNOPsWRzGw0jetWcJ8PYInH/mnKO9v9q0/b+e8jMQsx3UZopM4jIC3rQHiSb42bdshnjbGA8q0j54+SPF2fpR2SMrgQhV9CYXttIJoVvhmquWf4EWQ8mWsMCa+kkfPS00RBaCOg43Z5cC/HxvhbdA9n0kqjjIJtQC/Or4A8dnb2OfPnzXKdGHRq2RZbe+WEiFCygWcRY2kECu8Jg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qmzQm5sjW6Oyxf0Nk1DA/pnlZML3uC/go8p1tBxDyB8=; b=KY0xy0UIvuDg/rQDY8wXebsPc9TJgHo7mrJ78JWSV/oepAeAX+TJkIdJeETdr0ONP5HfUbauQ1dVCI7yB+qEUzIpigxmm3WSFwPZiStMbZCtMYp7TETjzBTMxK+vuJ1yCmMY3aYXqnxB0heRyOc/vMpPHXdf+DP8g0xnwm7/EWr0ZmPJcrBOHKtV3fKod4Ta4jYGM3CRxqam6D4o8OpMKlERzGCsJBEN4LOOpdZQgPtfusF547N49bj1g2BPiA4QZpxcTPwlaWHn+7m1lqqIMXivZL6rhsyuCvaH1Bd86LGrHWiAdRAGbY6gu4HCO8nMs1z+HpnBRVCLjiGQeWdPgQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.auckland.ac.nz; dmarc=pass action=none header.from=cs.auckland.ac.nz; dkim=pass header.d=cs.auckland.ac.nz; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.auckland.ac.nz; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qmzQm5sjW6Oyxf0Nk1DA/pnlZML3uC/go8p1tBxDyB8=; b=ZleBUAUVXiKCepxFOHFFLnBwZAFXl6HwtPo2V7/k3gKPx9U+DqtrNhoBOqyNxeG+g+nmmpTrkBNXKmAehwb8+Y1ogdXtWD32yBwnOSGUlI4OexYVKfkvPrWrwgVeVlLVohvECIjsNXgXNgaJ8LmaMs9GokBugbwmaSySRVFsogqjXbgqf9r0mI/Am3kOzTG4gIORbw2PsAdvzplc/vM3Rybgx/GMwYkStp6FPZdaeY0X8RrEe7vhbE80bCJGOYogjHvb8PnnMdhamETDyybJWi7Zxv1EutLPXdOiCx+HBahCu6zu7fD5i7NVdJFhyLRI66G2UCLubCmv0NQo29aJgg==
Received: from ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM (2603:10c6:220:229::18) by SY0P300MB0481.AUSP300.PROD.OUTLOOK.COM (2603:10c6:10:285::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8158.27; Fri, 22 Nov 2024 10:06:51 +0000
Received: from ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM ([fe80::2b6:430a:4d2a:5c52]) by ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM ([fe80::2b6:430a:4d2a:5c52%3]) with mapi id 15.20.8182.014; Fri, 22 Nov 2024 10:06:51 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Yaron Sheffer <yaronf.ietf@gmail.com>, Andrew Campling <andrew.campling@419.consulting>, "Salz, Rich" <rsalz@akamai.com>, Sean Turner <sean@sn3rd.com>, TLS List <tls@ietf.org>
Thread-Topic: [TLS] Re: Adoption call for TLS 1.2 Update for Long-term Support
Thread-Index: AQHbL7U0CRlDS0ZuQUmAB4nfWN7L+7LAg4sAgAAZG4CAAo+27g==
Date: Fri, 22 Nov 2024 10:06:51 +0000
Message-ID: <ME0P300MB0713FDE4AAA6BB169D676391EE232@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM>
References: <278163DF-0CB8-472F-84CB-0B8236FEC7C1@sn3rd.com> <231D5F24-E1AE-4F7C-9860-F6B0FF79D6FF@akamai.com>,<CWXP265MB5153A14B88F7E5CC94E9BF9AC2212@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <67DD955A-3D13-E04F-9398-F5B37786F79A@hxcore.ol>
In-Reply-To: <67DD955A-3D13-E04F-9398-F5B37786F79A@hxcore.ol>
Accept-Language: en-NZ, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.auckland.ac.nz;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: ME0P300MB0713:EE_|SY0P300MB0481:EE_
x-ms-office365-filtering-correlation-id: 7c66029c-ad53-49cb-b432-08dd0add62ac
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|376014|38070700018;
x-microsoft-antispam-message-info: hOpetJa8d0aDoNs/2rdAEzVkhzW5ab/G1TXrXWqIx31CgsWrJV2P7cBebk1AysGa8fNWNkT4GSBe7/DB0I8O44EVuJmEf4HTOkt3XzY68w/ZdL7vrvY3Y6je7zB1Cd2CrZrqmjjfzYwiC7irRJgz/qnAYsASLZEQQBuzq3E8TJWWmUFfgR1oHiHPgIT9Kl4Fhev9NNygxf4X6Ef9u1vxruJqOTFpgBYpdPoP5kEHggRzTZ3/WTP8QWzCNSMrJAgbcqN1abljI2IBiluq90ON0vAXEIr/FVwxrE1yTllK6+ji5rbjtxpwSO4pWsGWqzQ0O4y6Zt7cRjYLPKjerVvjH6Zv+E9m6jUNsWeV6ga6RR70/zVvgTAzayDM/xIIJfC0rDFlXVLpzhWH8P2xPzE5zt0nnOtOgysqTMtsU5QsY2zGPRouJWDAP0QSs2GTQL1PwFlqiwSBxRNviXvGSDVdMpepldmpWqQlSOW58DQqxYxNByNgMlOQEd8XgCGlRRYm37GGGQTSgkfdxZfuOjsckNMbFDLJSYzH6nAcQeO6X4MTVzx+30mif1I1Uir3iTtryJDHjOl2FZett3MH7uR2n2ho/tR1zQJbLOkwnZ02Mo4ZLB074Dhw7Ws0fBRqQJZinlhYanCZr06cE6rnEWFo3B9ptWpdaH8HUcn08CroycpJZzIxeNKoZ1ED+f0yoSthgVi5XZ0Dm/sFXxZ+L56dI7WE98YT9BL+mfwU+vOOyQDLN961dkEHlKvVytAVKdbysJEzQqEns2iMctkafg0yBmjZbPItucE1NmxJRD1Ou9WxJCjLE+jNUCj2DIQDNP7YsqTvxGKWV6ckTWYVVlS7x9RL7R7QTmGGs7kybFaxG4PalB37udvhTSQFc96olzTDfBxrPabFv1dgFSFgGLtry2g1NzCmNAb20oT0m1FILv2PYcOlXk/JpM+InSY2YvDN9+7oesVWI5iJGbjHG/wPpQuEkn74Fu/RdAM01WA/vWtDfjS0LvbQpao44tPZ27HL6JTQSZEkKb+J1PTNYDLlr3b4HIBF75g2YtG0QOtuKX8cMsvVtcTMSse3+Hf0hhCdzGPglrplYIS6bHHc66wFXXOOq+YRtb9zMpTjCzGk/vHzZWlDZ8AuWBsHAjtwdsP+HaJpOoLDu/cEKGfLM6QVA2tYogDtO2spruOjYOKYH1cCq02/JEqq0r8qXI+t4/DXtnkU+wvmw8MzT3CDQY9ejlaAr48HudWbFTJ3ll4fijdOZI9+3A0jJB8+zjX639O6gj9PrVploRzkOOw8od5oOaUGBwVIqI1kE/obiq9Rcu+J+4MRlumyxa1NaClSMcdIhgc7aZ2JjIecV2LBGAUPIbuqwY/Q9sW1vYEKYXTyOnE=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: G5dhMG6CYjv9DiTQpNNk2pUR/LmHwEcMUGuxzVZlu2jISrfc+yhdwgl3jy1UY0EkjaKryXtdORhMinrwMZ4nIhB+4R/XUsraZpPGXpFBtGPwPwGeM/f73fkw+ONjBqdK7XmXIj35OJMYaPx+KF/s/z3ftgNS2og0jVqHHjJSVesgukjYTOvhC5KiMYu1lN5g1l6JbQ6gTAtKT63yabxJJsZiJ3XS9TShcwO5ouaPhvfhz0lm+a4c9c5qxds4hI4rv0X/RtxRvX2QwizFoJsT+BAsD7QPXwkVwoYK6MmxOf/OBemmA1IWGeGwllqFDNrqU0tYEnclWoP7d74/gHLvJheSsY5MQ2YejzdxRo7dUfRVQPj05wLIrp/TOm7gm7BxvNsCuXOpRUUla5F1n1XMpVSQAfH7o4k7yT69Qp6ydSBB9s07POFbxbbO94jGyhDfIWX1Ld3jaBMYGclbuN9lRwqwu0elM11QyGAtGa2N7UI4Ts7pMbDj8Qf5vmjH0lySmsWHPsN+gzhoQGlhHVPLMnrGVdosugMsviyYhiKELC0hfL50vBHoPFruss6Hh9C3jcZFrrhe80hRiOQTW877gapOlJ4+861NZ3186M+umqIl+my3DGv/z7YG5MAVFpZahuJzCsAuiPWDhfG2Xz1LGNEFX9qk3aljM31wA4PFAmGl7k/v6mOkTZIHYnD4cvt60yr0KJvTxDJlM82Ijw0XxX7/JGkLqWjNDZfQL3JsFe5WUToJLsprmn5MCDbx6o3sMBlszjPOGSMQzvehple0nHyVF14OUH1/0qEtthRPtHygQ2JE1Rwyk8gThIvo+gViiz5Gc0MBZbw7fDg7dCiZhdhgzwB/Qy9X4SEayG4o9RGKxgM96KtewVwbXKQZgZIr7me5EM46bHXPpzNo0V+HD1/e4PHA9plCMn/WbD3zqTOYFglGZI3SdxS6fM/jlFt2NLQecfSNXjdwtgOkgl7tg7H0wqxPrnJXH0cw8MkzMtnXZK0hYzAj4YmwRc54OFaSwNbov/6OONIq8xkpMzn5pTXxdgzhkTUPFymupYILA/js34Gbvep/I7aYDUchE0325VSSG6sdMvGKTobVpYyWa2F408w+0UQKN9i4KXWI3oQONnqYPEOAtUIPxPq5IW+V/PwZ1XrQTvbu4Kgq9XfS7kOY8LK16OECf1SbBj6mbG0KHJ31lZtXtCgGPDYjj8LAscuEanIaLi8UQ/9RMl/iWwz3tDajsQNauk4bFCL6sM1wosBsfE7amUQZlMgETQ1Wo5cQRSjfBPRGmb+toC//OnkDHlEUYZTC78h6KQyZuIiEq7X0ECGqGZu8jYhbfl0To9m4gNY53Z3VAv7yjxlcV5jsp6Frw0Pf5Etti6why89eEO+OBXShgYf2ZvWh+X9/IcxoDi3OcYprhP0NEKly6fSTr3IJFvXyatvECmxshGEvAkfVuv6X3/n6lcA4FVNtPxmGlShZhxZao1tBCFJ+HmMUx6h2uUwhzRqaJvpR8dOwTZ5jDNCiSO2eHxy/Xu/vL+rqAQms9GOkgh1mWT3ndI1J/T4bjbFQ0ZcrxfuTxP4cREXCMEebXHJyw+Zi0Frg
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 7c66029c-ad53-49cb-b432-08dd0add62ac
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Nov 2024 10:06:51.5530 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 7K6uI8VYhFQ0GQJ/VC9BwVIwBLz2fe2ux4GqUleW7mDOzBhGSsgHOemgYsWFplvgWGXZLR7+iOSkIMtzuQbz5iIuXkeiCjBUTe82mX5ppo0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY0P300MB0481
Message-ID-Hash: 3L4QGB5OTI7M4O3BC7RGIZOM36E73OOA
X-Message-ID-Hash: 3L4QGB5OTI7M4O3BC7RGIZOM36E73OOA
X-MailFrom: pgut001@cs.auckland.ac.nz
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Adoption call for TLS 1.2 Update for Long-term Support
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/o--4deUM1AP6TNiLwLampJSCunc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Yaron Sheffer <yaronf.ietf@gmail.com> writes:

>Specifically, RFC 9325 [1] published a mere two years ago is not even
>referenced in the draft, let alone a comparison made with these deployment
>recommendations that were made by the very same IETF. (Yes you can hear my
>frustration coming through).

In defence of the -LTS draft, RFC 9325 postdates it by six years, so there
wasn't anything to reference at the time.  I'm also not certain how much
overlap there is between the two, for example 9325 contains quite a lot of
stuff (older TLS versions, compression, DTLS, fallback, RC4, NULL cipher
suites, RSA key transport, etc) that has no bearing on what's in -LTS which
means it could cause confusion if someone tries to apply it to things that
mostly don't exist in -LTS.

Having said that, now that my attention has been drawn to it :-), I'd be happy
to include a note along the lines of "further advice on secure use of TLS may
be found in RFC 9325", it would certainly fit in with what -LTS is trying to
achieve.

Peter.