Re: [TLS] TLS@IETF101 Agenda Posted

Hubert Kario <hkario@redhat.com> Wed, 14 March 2018 19:12 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33BBC124C27 for <tls@ietfa.amsl.com>; Wed, 14 Mar 2018 12:12:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.301
X-Spam-Level:
X-Spam-Status: No, score=-2.301 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, T_SPF_HELO_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4LSszHaJn1UG for <tls@ietfa.amsl.com>; Wed, 14 Mar 2018 12:12:48 -0700 (PDT)
Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3DB7124BE8 for <tls@ietf.org>; Wed, 14 Mar 2018 12:12:48 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 067AD4040856; Wed, 14 Mar 2018 19:12:48 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (ovpn-200-29.brq.redhat.com [10.40.200.29]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6637450331; Wed, 14 Mar 2018 19:12:47 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: Russ Housley <housley@vigilsec.com>
Cc: IETF TLS <tls@ietf.org>
Date: Wed, 14 Mar 2018 20:12:41 +0100
Message-ID: <10505832.z7kPpBgRto@pintsize.usersys.redhat.com>
In-Reply-To: <4317390C-51CB-4969-8251-DBA18CBDE0BA@vigilsec.com>
References: <6140B7A6-A1C7-44BC-9C65-9BE0D5E1B580@sn3rd.com> <12691059.D1o9753ySB@pintsize.usersys.redhat.com> <4317390C-51CB-4969-8251-DBA18CBDE0BA@vigilsec.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart1665534.zIL0QLxZMB"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Wed, 14 Mar 2018 19:12:48 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Wed, 14 Mar 2018 19:12:48 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'hkario@redhat.com' RCPT:''
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/oU1L28oEUeu2eGMEeizAT1E6NGo>
Subject: Re: [TLS] TLS@IETF101 Agenda Posted
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Mar 2018 19:12:50 -0000

On Wednesday, 14 March 2018 19:53:21 CET Russ Housley wrote:
> > On Mar 14, 2018, at 8:39 AM, Hubert Kario <hkario@redhat.com>; wrote:
> > 
> > On Tuesday, 13 March 2018 23:16:47 CET Russ Housley wrote:
> >> Ted:
> >>> There's an easy way to do this, although as a sometime bank security
> >>> geek
> >>> I would strongly advise you to not do it: keep using TLS 1.2.
> >> 
> >> This is a bogus argument.  First, staying with an old protocol version
> >> often leads to locking in unmaintained versions of old software.
> > 
> > this is simply not true, the newest versions of OpenSSL, NSS, GnuTLS and
> > schannel allow you to disable TLS 1.2 and TLS 1.1 protocol support to
> > effectively only support TLS 1.0!
> 
> After TLS 1.3 is approved, I have heard a desire from software maintainers
> to drop support for some of the older versions over time. Support for SSL
> 3.0 has been dropped in some cases, and for good reasons.

there's a long road from "desire to drop support for TLS 1.0", through 
"marking the TLS 1.0 support as deprecated", "making the TLS 1.0 support a 
compile only option" to "removing TLS 1.0 code completely"

while sure, both TLS 1.0 and TLS 1.2 likely will be removed from those afore-
mentioned libraries at _some_ point, it is disingenuous to suggest it will 
happen in a matter of just few years, especially for the latter of the two 
protocols
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic