IETF Logo Mail Archive

[TLS] Re: Ketan Talaulikar's No Objection on draft-ietf-tls-tls12-frozen-07: (with COMMENT)

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Tue, 10 June 2025 10:36 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 24354331BDDA for <tls@mail2.ietf.org>; Tue, 10 Jun 2025 03:36:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.206
X-Spam-Level:
X-Spam-Status: No, score=-1.206 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MIME_HTML_ONLY_MULTI=0.001, MIME_QP_LONG_LINE=0.001, MPART_ALT_DIFF=0.79, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZwVQheAqNHCC for <tls@mail2.ietf.org>; Tue, 10 Jun 2025 03:36:41 -0700 (PDT)
Received: from mail-qk1-x72f.google.com (mail-qk1-x72f.google.com [IPv6:2607:f8b0:4864:20::72f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id B15B8331BDD4 for <tls@ietf.org>; Tue, 10 Jun 2025 03:36:41 -0700 (PDT)
Received: by mail-qk1-x72f.google.com with SMTP id af79cd13be357-7d0a2220fb0so559224785a.3 for <tls@ietf.org>; Tue, 10 Jun 2025 03:36:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1749551801; x=1750156601; darn=ietf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:from:to:cc:subject:date:message-id :reply-to; bh=FQ2Hhu7C8jbUNltiNrE88TPDetrUAsnK+UDsFPNkJDY=; b=ESnubXAEwZNxbFZUcxHuNFeuC2LAjgpakbGN3lY6o0x0VGQNz3XyJtf2bGagJovQtA RL8wDKmLsvdxnJQI6aLOUH/wzYsiL2DklG34apGHcwsYnpD40rTzh9yBclUSvO306a7x y0a8in0V4SGj31LWouBzMggP3DTtSOkVsBHv2a8DvJVZVEHpZhliYSmVZ3Rd96wJmX6U CiYThMtL12wgkGPhoJwWNX4I1xH7M1P1nL4Hr8osa6cocu4aHZ5PxrhrkMu3vBc6naOZ xiQNV3eDAjFvAkQlAhvaptGirv12gSPXARidTAdzzj7lJqq6xarmDo6PIu8feKVNlQ2X j3ZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749551801; x=1750156601; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FQ2Hhu7C8jbUNltiNrE88TPDetrUAsnK+UDsFPNkJDY=; b=pB71Luile07oEmE0ez8mGUh+oYzy6qWR4bAKW4xLFgF7uU6uxvRg7DDyokIbQU8CAH HdHgfPanmi8J7Sl09K85GB4xd2nfdFH20a/T83S1zehHwOQRH3QyyNapF14aYAcXwLGz ugDj/Cwab3OeK9nAsDs5oJBN659FRxeDU5kCj4+3KK94hcuTEmv3q4DPLkWNmzunkDpE OZqNpTUmQM4OM0ITKKIJkO8x3mgSSfL4lvg76Se+E84yyGETdGZRZLfdlVGJzIAY+qNg IKX0BXxJfv526U0ZfnXo4xoDnA1Vf4WIdBE3Lv+wcadkFSy4KddOYy4+dNfFqvk6hpgi EDYg==
X-Forwarded-Encrypted: i=1; AJvYcCVPETLXiydpjjJD76bZeC6UEjvqjo9HUMkWdr4vdK+20bxxLXOqdi5bOqgsAjEi4Drd31M=@ietf.org
X-Gm-Message-State: AOJu0YxKHIDXZZq466P3sRou+QYxe2i6OjLntPCy+PYe9HAEhAuyREFU byK4cTFKU3JFnrMuBDuZcbxoYyOq88GWBJqjFz6NpiZj9taQ5RLQemPlSxVxww==
X-Gm-Gg: ASbGnctV0yKjsqXmt3TBV5YEEA09SO72lNRBA/V49Rnf4AX8L5pnFe8ZIw3V6eARJHT l7uO73u0zvLQapferHvXEK9LomrP25wyXqN3rG9gOp7DJSf6/2ALOMbg2N3gZEcBv5+ciaCbTGa ej0W9oTJ/C1CYbpM6cqs8d8s6rmUbMT5ADpTozyij9CPc73rNXN5lK+vGQ+tpMrGggTH8emoklL l69Oaa55JY/aub7BQizxZF9sdSi6X7IdosaeRFyMj6i4kPnnJZVutc1uaPWWYmUl+KLqbQgcpSo ekkYWQVFmUi98Y1jzg3M9DfsuWSytxmX+BBg12JpwAQOlMcpNPwOdslQOwz2kxg8ERlQZWBQXwD XATXbucyRA7sjrph9j/c0NtH5xKG/WaSDRrhri/T0A0nlRYrovUMQJ5R4qhQpcn2NkjSI0wlKL6 aNWEEIKUyvnGEp1fk8Lhp0TYhKdA==
X-Google-Smtp-Source: AGHT+IEcYENF0y9Its/6m6iUXYsNhfay4aeErZCiQBAQn5v2NDq8INNeNmA7u+Golkeg8QuvriAgxg==
X-Received: by 2002:a05:620a:2489:b0:7c7:c772:7442 with SMTP id af79cd13be357-7d229861041mr2308771885a.20.1749551801034; Tue, 10 Jun 2025 03:36:41 -0700 (PDT)
Received: from smtpclient.apple (146-115-101-80.s7246.c3-0.arl-cbr1.sbo-arl.ma.cable.rcncustomer.com. [146.115.101.80]) by smtp.gmail.com with ESMTPSA id af79cd13be357-7d2669b4759sm675668485a.111.2025.06.10.03.36.40 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 10 Jun 2025 03:36:40 -0700 (PDT)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Google-Original-From: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-EF2CB3FE-DE06-425A-8673-9CA7C82B0143"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
Date: Tue, 10 Jun 2025 06:36:29 -0400
Message-Id: <7B57B6F2-2843-47A5-9F9F-7FA0163B20C7@gmail.com>
References: <CABcZeBNd+L0N3gcXBOPwN-E-e68QDb5G1SDCTHMKCG=PkWmiBg@mail.gmail.com>
In-Reply-To: <CABcZeBNd+L0N3gcXBOPwN-E-e68QDb5G1SDCTHMKCG=PkWmiBg@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
X-Mailer: iPhone Mail (22F76)
Message-ID-Hash: JFJLQTDCP2P734UTXADYMIFMMRHCLJCD
X-Message-ID-Hash: JFJLQTDCP2P734UTXADYMIFMMRHCLJCD
X-MailFrom: kathleen.moriarty.ietf@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Edward Arano <edward.arano=40bofa.com@dmarc.ietf.org>, tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Ketan Talaulikar's No Objection on draft-ietf-tls-tls12-frozen-07: (with COMMENT)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ueC1jwK7gItpTBGKNPDn5TX20d8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

 
In case helpful to a broader community supporting operations, I had posted this blog to a few places to encourage transition planning. It’s written at a higher level than discussions here with the intent of having the information accessible to a broader audience with other areas of expertise. It may have raised awareness of the need to transition to get quantum cryptography support. 

RSA:




APNIC:

Last week, the US put out an executive order with a transition date requirement of 2030 for TLSv1.3.

Best regards,
Kathleen 

Sent from my mobile device

On Jun 7, 2025, at 12:47 PM, Eric Rescorla <ekr@rtfm.com> wrote:





On Sat, Jun 7, 2025 at 4:40 AM Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
Eric Rescorla <ekr@rtfm.com> writes:

>Under the assumption you mean "our customers", then those people are probably
>coming in via a Web browser. All modern Web browsers support TLS 1.3. If
>someone is coming in via a browser which doesn't support TLS 1.3, then it's
>because that browser isn't being updated, which means that it wouldn't get
>some hypothetical TLS 1.2 PQC update even if one existed.

And here again we have the standard TLS WG position that nothing exists
outside the web. Perhaps the group should be renamed to "TLS for the Web"
just to make it clear that that's the only thing that gets any consideration
here - there's not even any acknowledgement in the above that anything outside
the web exists.

Peter,

I don't think this is really a good faith reading of my message.

For those following along at home, here's the entire context, with
Edward's message and my response.


> > Here is the problem > say all our external endpoints are
> > communicating via TLS 1.3 ;our clients (which most of the times we
> > will not have control over) will need TLS 1.3 > if the client
> > doesn’t have tls 1.3 our communication will need to negotiate
> > /communicate with a lower protocol 1.2 perhaps?  If TLS 1.2 received
> > the new PQC algorithms then it will create less havoc on many
> > organizations just trying to communicate securely
>
> I'm not quite sure what you mean by "our clients" here. Are you talking
> about people or software? Under the assumption you mean "our customers",
> then those people are probably coming in via a Web browser. All modern
> Web browsers support TLS 1.3. If someone is coming in via a browser which
> doesn't support TLS 1.3, then it's because that browser isn't being updated,
> which means that it wouldn't get some hypothetical TLS 1.2 PQC update
> even if one existed.

So the context for my message is the following category of
endpoints:

    our clients (which most of the times we will not have control over)

This is a somewhat clearly unspecified set, and in the first sentence
(which you trimmed for some reason), I explicitly express some concern
about this ambiguity.. As is clear from this sentence and the
nextsentence where I say "Under the assumption", I'm trying to give it
a clear meaning, in this case that he means the customers. A bank's
retail customers typically talk to a bank via one of two mechanisms:

- The bank's app (which the bank *does* control, and so won't have
  the issue raised here)
- The Web

Commercial customers may well come in through some other kind of
client, though I imagine they also use the Web a lot, hence
*probably*.  I don't think any of this reveals some kind of attitude
that the Web is the only thing that matters, merely a recognition
that in *this* scenario it's in fact the main modality. Looking
backwards, it would have been good to more explicitly acknowledge
the app case, but of course from a technical perspective, those
are probably just Web APIs.

I'm of course aware that banks have partners they communicate with
and various kinds of partners via all sorts of non-Web mechanisms,
but, as above, the scope of this discussion is "clients".


> not even any acknowledgement in the above that anything outside
> the web exists.

And of course this is just false, as the word "probably" explicitly
acknowledges that there might be some other mechanism.

-Ekr





 
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-leave@ietf.org

v2.31.3 | Report a Bug | By Email | System Status