Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)

mrex@sap.com (Martin Rex) Thu, 21 May 2015 23:28 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9187D1A9041 for <tls@ietfa.amsl.com>; Thu, 21 May 2015 16:28:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.551
X-Spam-Level:
X-Spam-Status: No, score=-6.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9qUz4LkzIbQk for <tls@ietfa.amsl.com>; Thu, 21 May 2015 16:28:38 -0700 (PDT)
Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81D001A8ADC for <tls@ietf.org>; Thu, 21 May 2015 16:28:38 -0700 (PDT)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id 782D43E0C3; Fri, 22 May 2015 01:28:36 +0200 (CEST)
X-purgate-ID: 152705::1432250916-00005316-02B3AE09/0/0
X-purgate-size: 1005
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 6664041209; Fri, 22 May 2015 01:28:36 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 5AB841B31E; Fri, 22 May 2015 01:28:36 +0200 (CEST)
In-Reply-To: <201505211210.43060.davemgarrett@gmail.com>
To: Dave Garrett <davemgarrett@gmail.com>
Date: Fri, 22 May 2015 01:28:36 +0200 (CEST)
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20150521232836.5AB841B31E@ld9781.wdf.sap.corp>
From: mrex@sap.com (Martin Rex)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/paBSNOz_fK997b3_FM2aN_e3DcM>
Cc: tls@ietf.org
Subject: Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 23:28:40 -0000

Dave Garrett wrote:
>
> https://tools.ietf.org/html/rfc7525
> 
> 2) For TLS 1.3, add a blurb to the effect of:
> "Server TLS implementations supporting TLS 1.3 or later
> MUST NOT negotiate TLS 1.0 or TLS 1.1 for any reason.

You have just been passionately fighting _for_ ignoring a requirement
in TLSv1.0->v1.2 that is extremely reasonable an interop-enhancing
requirement.

Now you're asking for addition of an obviously stupid requirement that
will obviously impair interop.

Such obviously bogus requirements are going to be entirely ignored
by a number of implementors, and they will get away with it with ease
just as the offenders of current requirements keep offending.

The bottom line result will be that you're in conflict with rfc2119
and driving the quality of the document into the ground, because it
will become more and more difficult to recognize which of the requirements
are really important for interoperability, and which are just political junk.


-Martin