Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice

Nick Lamb <njl@tlrmx.org> Sat, 28 November 2020 20:30 UTC

Return-Path: <njl@tlrmx.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E47D3A0E05 for <tls@ietfa.amsl.com>; Sat, 28 Nov 2020 12:30:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=tlrmx.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K42ootiFtNDH for <tls@ietfa.amsl.com>; Sat, 28 Nov 2020 12:30:00 -0800 (PST)
Received: from cyan.elm.relay.mailchannels.net (cyan.elm.relay.mailchannels.net [23.83.212.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B5533A0DFA for <tls@ietf.org>; Sat, 28 Nov 2020 12:30:00 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|njl@tlrmx.org
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id BAFF6701690; Sat, 28 Nov 2020 20:29:59 +0000 (UTC)
Received: from pdx1-sub0-mail-a74.g.dreamhost.com (100-96-21-95.trex.outbound.svc.cluster.local [100.96.21.95]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 3F8D77016B8; Sat, 28 Nov 2020 20:29:58 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|njl@tlrmx.org
Received: from pdx1-sub0-mail-a74.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.18.10); Sat, 28 Nov 2020 20:29:59 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|njl@tlrmx.org
X-MailChannels-Auth-Id: dreamhost
X-Cure-Whimsical: 70312f8f2e793f52_1606595399440_2430592661
X-MC-Loop-Signature: 1606595399439:1600666104
X-MC-Ingress-Time: 1606595399439
Received: from pdx1-sub0-mail-a74.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a74.g.dreamhost.com (Postfix) with ESMTP id DB0197E790; Sat, 28 Nov 2020 12:29:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=tlrmx.org; h=date:from:to :cc:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; s=tlrmx.org; bh=19kQHUn H92ScY10BgtwlE3e10wM=; b=JvwEx6MmpqmjzriG3CnSbe+9qbm8Z2mLyGpX0ez kq6AQ6i3m0oJfgorXaUStHGibHB0qIpbVvMZJg7KLwjOu0ecakv0hZ67W2uDTra2 Tylebq5baQPw+CPPnIohTpoAwTd0oO61XhF2eEgOG1+Agf+9DDy0snve8A6pM+dx XrOM=
Received: from totoro.tlrmx.org (124.89.2.81.in-addr.arpa [81.2.89.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: njl@tlrmx.org) by pdx1-sub0-mail-a74.g.dreamhost.com (Postfix) with ESMTPSA id 039107E77F; Sat, 28 Nov 2020 12:29:54 -0800 (PST)
Date: Sat, 28 Nov 2020 20:29:51 +0000
X-DH-BACKEND: pdx1-sub0-mail-a74
From: Nick Lamb <njl@tlrmx.org>
To: tls@ietf.org
Cc: Keith Moore <moore@network-heretics.com>
Message-ID: <20201128202951.5de4c99f@totoro.tlrmx.org>
In-Reply-To: <7e1af512-ba45-5d9a-6538-518179ab2c3a@network-heretics.com>
References: <160496076356.8063.5138064792555453422@ietfa.amsl.com> <49d045a3-db46-3250-9587-c4680ba386ed@network-heretics.com> <CABcZeBPCccfDuGyZC-y88-dapjWYy57YRWWK3vsFOGM5Bxa+8Q@mail.gmail.com> <584c7749-6986-0329-873c-2d1ff8b55251@network-heretics.com> <CABcZeBNmzSV38Hm+cpas=hAO3RvV2V6nCkRUM2NkBM8mG7bdBg@mail.gmail.com> <7e1af512-ba45-5d9a-6538-518179ab2c3a@network-heretics.com>
X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.32; x86_64-redhat-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/qcLluXqXgizoiVwE25Gp0O0Ps_g>
Subject: Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Nov 2020 20:30:03 -0000

On Fri, 27 Nov 2020 23:43:42 -0500
Keith Moore <moore@network-heretics.com> wrote:

> I'm aware of that.  But what really is the point of a cert
> (especially one issued by a public CA) that has an RFC1918 address as
> its subject? Not that it matters that much because the vast majority
> of sites using embedded systems aren't going to bother with them.
> Most of those systems probably don't support cert installation by
> customers anyway.

You won't get such a certificate from a public CA (presumably meaning
a CA issuing in the Web PKI). They're subject to the CA/B Baseline
Requirements which explicitly forbid this (in 7.1.4.2.1):

  CAs SHALL NOT issue certificates with a subjectAltName extension or
  subject:commonName field containing a Reserved IP Address or Internal
  Name.

As I understand it the purpose of the IETF is to develop and promote
Internet standards, to the extent that people enjoy using some of these
standards to do things that aren't part of the Network they are welcome
but it doesn't make sense for the IETF to focus on these uses.

As an IETF draft the die-die-die work addresses the Internet, and it
seems to me that ekr's assessment is entirely correct in that context.

Nick.