Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice

Stephen Farrell <> Tue, 01 December 2020 00:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7D1593A12CA; Mon, 30 Nov 2020 16:50:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5ep0N6p8XUbN; Mon, 30 Nov 2020 16:50:14 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E3DF83A16B3; Mon, 30 Nov 2020 16:48:35 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 64982BE2E; Tue, 1 Dec 2020 00:48:33 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mKJ3E3_H7Aow; Tue, 1 Dec 2020 00:48:31 +0000 (GMT)
Received: from [] ( []) by (Postfix) with ESMTPSA id E938BBE24; Tue, 1 Dec 2020 00:48:30 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=mail; t=1606783711; bh=VspMfoSqozkIH3Cxitn8HAdc87Nv0JIHu6tSzsmJY70=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=YodwYaFS1WqJKztwfkSQl93TjEF3unNuG5SYNXnYxorrL9XYP13AB2304nM6Kotrr fIOzYd7mjn0+FnZ10uTlVpqx7xNbEuiDJKIB94KnCb8TT6ue5pUPjIQ68Vl9f+sRHD 6tlhxe3CeFTvxtgXvTIHjIcdP4zHGYzPEIZxUv9Y=
To: Peter Gutmann <>, Keith Moore <>, "" <>
Cc: "" <>, "" <>, "" <>
References: <> <> <> <>
From: Stephen Farrell <>
Message-ID: <>
Date: Tue, 1 Dec 2020 00:48:29 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="5dXTszUf5ORrK1r3I2Pl3Qd36bKCiWVbw"
Archived-At: <>
Subject: Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 01 Dec 2020 00:50:17 -0000


On 01/12/2020 00:29, Peter Gutmann wrote:
> However I think your comment points out the overall problem:
>    usage in web, mail and OSes
> This means there's no consideration at all of use in embedded/SCADA/whatever.

I wouldn't agree with "no consideration" but guess we might
agree about a lack of data. In particular, mail servers
within enterprises were an explicit consideration but one
where the consensus I think ended up pretty clear to be to
deprecate despite at that time ongoing non-trivial usage of
old versions.

That said, if someone had words to suggest that might garner
consensus, that would be good. I earlier said I'd try craft
such, and will, but maybe better to start that with text from
someone who works with these deliberately update-averse
devices. (My guess as of now, is that would need to try
describe cases where our "MUST NOT" is really an rfc6919
"MUST NOT (but we know you will)" rather than an attempt to
characterise all the situations where the "MUST NOT" is
clearly correct.)


PS: I think the earlier discussion referred to above answers
Keith's point about mail servers, if one looks back over it.
(That's from memory though, me not actually having gone back
and looked over it again... yet;-)