IETF Logo Mail Archive

Re: [TLS] Adoption call for 'TLS 1.2 Feature Freeze'

hannes.tschofenig@gmx.net Tue, 12 December 2023 09:20 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED692C14CE39 for <tls@ietfa.amsl.com>; Tue, 12 Dec 2023 01:20:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7MxIsyoV1uWu for <tls@ietfa.amsl.com>; Tue, 12 Dec 2023 01:20:20 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DF4BC14CE31 for <tls@ietf.org>; Tue, 12 Dec 2023 01:20:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1702372812; x=1702977612; i=hannes.tschofenig@gmx.net; bh=jsvWl1OJlJdZEi7bnq7kJV46JjXzl5a0d2UUyx5Xh9s=; h=X-UI-Sender-Class:From:To:Cc:References:In-Reply-To:Subject: Date; b=aYXOtLrRDBaERFEXUoPmD5NFEYNR5B+8KA5Qoq6nwQwAR6lz4afTHBzZl+O5ps8/ HQ0ZcBnLqMMqhBcus//tichMHw4tZavUe8CDlc+zCGCRzTQR6aWoqS/rETml5FAUu P6B9VXZheM//O18BzLQ9VLnpq9LhGwm53CFDYrItssLZEEoim05uarRhavPWEOnrX aVXeJdrFg1Tio0tXeGzeMEIvQlrb/AyHyB4wHN+eGx8HwaLgGLhspemmE7bz6+J20 nlQUxhJDuFM0g+6h9IyEeId8/1I7KxZH/lFrY1ul/LXRU7v3nNrtmiQ7JRilPl7f0 Y9lNxxbcwsQp7rTPDw==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from Surface ([195.145.170.147]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MUGeB-1qnRZn1C9D-00RJRs; Tue, 12 Dec 2023 10:20:12 +0100
From: hannes.tschofenig@gmx.net
To: 'Loganaden Velvindron' <loganaden@gmail.com>, 'Peter Gutmann' <pgut001@cs.auckland.ac.nz>
Cc: tls@ietf.org
References: <CAChr6SwLuACW74ZHQOmidfSKuD=dwUXN=QM4jizJQy31eKrLfg@mail.gmail.com> <SY4PR01MB6251FDBDD330C527CB3C8A08EE8EA@SY4PR01MB6251.ausprd01.prod.outlook.com> <CAOp4FwTfxT2OnbJfC3mupQSApVc15S=bZAFDt5rvt2hbbeq5xw@mail.gmail.com>
In-Reply-To: <CAOp4FwTfxT2OnbJfC3mupQSApVc15S=bZAFDt5rvt2hbbeq5xw@mail.gmail.com>
Date: Tue, 12 Dec 2023 10:20:11 +0100
Message-ID: <04d301da2cdc$68b412f0$3a1c38d0$@gmx.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQFDcLxWMlmN6xC0EhdgSx6dV9LhYQH8LM1EAjBXUVWxsWxPMA==
Content-Language: de-at
X-Provags-ID: V03:K1:zAMz7Xt8JhbAQef8Ks60wYnJahk/Dfl4mz1AYVmxd2HKXHm5mXy sW63BRiW08HAXQANEqY0r1M1rpuvmzHMdSjSyhxg4TiDMKm/etMlX0KrPvfgYE/bX4a/Add EfiicPEQ4tswo2QHtZTVqvAV5mIKGQm789gVVziQcRzikbKgnOEQaxlDbX4edYc4qjbRhNW 9GBgDPEDvaf62b78aOKCQ==
UI-OutboundReport: notjunk:1;M01:P0:SEFt81B1g9k=;TOjDOZsJ/4/VmqTF5Chit3qpQPd tyULoWopCSPrV3FQBBaIDt8gMAhywN+jIMvzbdysbj1d+NGxJCxwitW01yUxANjz1mcDZJg9k e43U3GhphN8E1EQgU9UfsohtYWmshiFu/ATGGPyK3sRgVDzoqcUPomdEFTHbkgA0Zi5urFLH3 EbczNvK3ObC7ousgolnQZV2kamd6I1QpcCdK7SH2+cCL9bxZXCqP58Iw9kjwJ8gD2k7NrrN7H OmDDvS2kJvzaZV3J8PiFuiTeoDA8gE7EX1fj5GAqyZUQ66RxRXUJsZjO8ZBzs5bE80jUg5Up3 gjUJeA1YhIgohGcjMl9pS8Rg/BvqiTYx+KgypHcyu23F1q1Ehm/u9yTR7uqXvgW2CMy0tZ6vj b59ITdKWnICM/JLc2HCW9cTrtTxqVnhpTwi3tZb1dUc+8jZ4mNd+t1lOnVuDdrRpxPZveVmfY y4PWrrwFc7B74EBocC9foCUgqJ7vYaCd3DjkYfb3ymitAjsqx1kwrUxkv5g26dezxMhUg1J6O DQx6o7wItEzat1vdYCeM/OISCNZEXvSdfskayQ/u+0caxUzxJ58UuI8dmNKFXbxF7+izldKHW UuzE6Z+jJSCynRDDjkje1hacIJ6t1d9Jp6ZEJSppgKyZULkf61yk/ETlOLh07C099zqtoNAMv wpgQ82i/MxSHRVdiVT4MUksCTEgs9WmXiKBK5GEGoToZSNiHXCIozpMEDdc5WhHjN7nxWqew8 7ySlvW9VykTA558gLCG2YFpYiUPiHzroSXuGlEy2+aOU1fOsCGUbvTX4JunY+qPLGtEtcobdC anFidyY3TCLAoSeZLvy1wjOMS/Hsi6NABgtSEA5kTfBI2FvHpYJ9L0yP28QyF9hkWqvGER6cb fSJqnoyqopjIdtQyuXZ7Gu6VolFMXLzDPC5rDkDkfXMWp+F71wTASTQ/sNCT3mGZwT02rUd8S qwhoiw==
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/uL75zVL7ZNf1gbqbp2AevZaWnRw>
Subject: Re: [TLS] Adoption call for 'TLS 1.2 Feature Freeze'
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Dec 2023 09:20:24 -0000

>From my experience, it is possible to update the firmware on many modern constrained IoT devices, including the TLS / DTLS stack, today. Of course, there are a lot of devices out there where updating the firmware involves physical access by some technician.

However, there are a few other challenges. 

First, such a change must be carefully planned since the space on these devices is quite limited.

Second, IoT devices often follow "system" standards and for interoperability purposes you cannot just replace one version of the security protocol with another one. In some IoT standards, you can "easily" switch from one TLS version to the next without impacting the interoperability of the entire system. This is not necessarily the case with all IoT specifications. There are often other subtle changes that have an impact on the transition. For example, if you have an IoT deployment that uses EAP-TLS based on RFC 5216 and you switch to RFC 9190 then you are suddenly facing the requirement to use OCSP stapling in TLS, if you strictly follow RFC 9190. In general, you have to look at the whole system rather than just at a single IoT device alone. There may also be certification processes to consider. 

Then, there is the incentive issue. Just because there is a new version of TLS available does not immediately trigger companies to update their devices, particularly when there is not even a security problem with 1.2 (at least if you follow the recommendations from the UTA group).

Finally, implementations with the desired feature set also have to be available. Depending on the stack you are using, this might be the case, but it is not guaranteed. Implementing embedded security protocols takes more time than writing a Javascript app...

Ciao
Hannes
 
-----Original Message-----
From: TLS <tls-bounces@ietf.org> On Behalf Of Loganaden Velvindron
Sent: Dienstag, 12. Dezember 2023 06:17
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: tls@ietf.org
Subject: Re: [TLS] Adoption call for 'TLS 1.2 Feature Freeze'

Peter,

I'm curious. Are those embedded devices or IoT type of appliances where the firmware has a TLS library that will never be updated ?


On Tue, 12 Dec 2023 at 05:30, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
>
> Rob Sayre <sayrer@gmail.com> writes:
>
> >>Given that TLS 1.2 will be around for quite some time
> >Not clear.
>
> Absolutely clear.  I work with stuff with 20-30 year deployment and 
> life cycles.  I'm fairly certain TLS 1.2 will still be around when the 
> WebTLS world is debating the merits of TLS 1.64 vs. TLS 1.65.
>
> (This is also why the TLS-LTS draft was created, BTW).
>
> Peter.
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email