Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms

Andrei Popov <Andrei.Popov@microsoft.com> Tue, 12 January 2016 00:38 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FBD91ACCC7 for <tls@ietfa.amsl.com>; Mon, 11 Jan 2016 16:38:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E16i83eVn4Mo for <tls@ietfa.amsl.com>; Mon, 11 Jan 2016 16:38:22 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0706.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::706]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F406E1ACC92 for <tls@ietf.org>; Mon, 11 Jan 2016 16:38:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=LC/k+zp4XvUblv2LdGLO3L08RvSgDjxJOzRknfkDBTk=; b=UuHE0FHKE1CWKwM3vvR0DklZ1OUkDwgUfBNLVq7beKintH+Pjlp0Y2ZJ8TCcG1BE7LB4xnxfdHlDv8GGKusmtMkE/srbqiS73I6rrJt1MYQ98H+JnbUOJThOSzo053/1UuN6Q182P2ma8hWSkXbQWpM7z6fIbelDYOJ/DX469gc=
Received: from BLUPR03MB1396.namprd03.prod.outlook.com (10.163.81.142) by BLUPR03MB1395.namprd03.prod.outlook.com (10.163.81.141) with Microsoft SMTP Server (TLS) id 15.1.361.13; Tue, 12 Jan 2016 00:38:02 +0000
Received: from BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) by BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) with mapi id 15.01.0361.006; Tue, 12 Jan 2016 00:38:02 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Martin Thomson <martin.thomson@gmail.com>, Kurt Roeckx <kurt@roeckx.be>
Thread-Topic: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms
Thread-Index: AQHRTJ4m/d32IOQTx0qUA0UaDUeUnZ73CGWAgAAAkdA=
Date: Tue, 12 Jan 2016 00:38:02 +0000
Message-ID: <BLUPR03MB1396949156F4CEE5BE9DDD018CCA0@BLUPR03MB1396.namprd03.prod.outlook.com>
References: <20160111183017.GA12243@roeckx.be> <CABkgnnVXF8UB91vH6PUmCxv950mVeUEwyOenCFhnqwTZpzPtHg@mail.gmail.com>
In-Reply-To: <CABkgnnVXF8UB91vH6PUmCxv950mVeUEwyOenCFhnqwTZpzPtHg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-originating-ip: [2001:4898:80e8:8::1d2]
x-microsoft-exchange-diagnostics: 1; BLUPR03MB1395; 5:ZTTKhovkKs/DCPpmm3qJ5/K90Sdvv/uOZKv9QVQQK0g3xMA4j8wDmR/HAmzOzSu4cdxhYc0BZ7avgPMzlW/E0y9Q3bUO8CO91Bj6xcRwM/7Y1Axz/BkpTOfl2ePhqIqEia69nxxWFeVWjRkfDErwsQ==; 24:8g35hBEV0bo4glvnHe1G3puT/4EDAOqwWNTro3mW3PE8fROGAZmvru0uJZZ9ca/JobZ5MhnxpcT95t/DVA38eKiA+upRfbvDX3QgD5kJjdc=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR03MB1395;
x-ms-office365-filtering-correlation-id: aa541afe-be06-49f4-00a1-08d31ae8a128
x-microsoft-antispam-prvs: <BLUPR03MB1395FFFDC22256C20A4630FC8CCA0@BLUPR03MB1395.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(189930954265078);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(5005006)(520078)(8121501046)(10201501046)(3002001)(61426038)(61427038); SRVR:BLUPR03MB1395; BCL:0; PCL:0; RULEID:; SRVR:BLUPR03MB1395;
x-forefront-prvs: 081904387B
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(13464003)(199003)(377454003)(24454002)(189002)(5001960100002)(106116001)(11100500001)(8990500004)(4326007)(5003600100002)(99286002)(5004730100002)(77096005)(33656002)(2950100001)(19580395003)(10090500001)(1096002)(86362001)(2900100001)(50986999)(2906002)(19580405001)(5008740100001)(6116002)(101416001)(15975445007)(86612001)(122556002)(97736004)(87936001)(81156007)(74316001)(5002640100001)(105586002)(1220700001)(92566002)(40100003)(106356001)(10290500002)(5001770100001)(586003)(189998001)(76576001)(10400500002)(76176999)(54356999)(102836003)(5005710100001)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR03MB1395; H:BLUPR03MB1396.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jan 2016 00:38:02.7235 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR03MB1395
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/uqj58qr27disGPPK8_pOZ9PTNoI>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jan 2016 00:38:26 -0000

Yes, our telemetry shows the same. The use of TLS 1.2 increases and the use of TLS 1.0 goes down, but it will likely be a while before we can disable TLS 1.0 by default in Windows.

Cheers,

Andrei

-----Original Message-----
From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Martin Thomson
Sent: Monday, January 11, 2016 4:33 PM
To: Kurt Roeckx <kurt@roeckx.be>;
Cc: tls@ietf.org
Subject: Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms

On 12 January 2016 at 05:30, Kurt Roeckx <kurt@roeckx.be>; wrote:
> After the SLOTH paper, we should think about starting to deprecate TLS 
> 1.0 and TLS 1.1 and the SHA1 based signature algorithms in TLS 1.2.


Let's be clear about this: TLS 1.0 represents far too high a
proportion of our usage to remove it at this point.  TLS 1.2 growth is
still solid, but it really isn't that long ago that we turned on TLS
1.2.

The encouragement we give people to upgrade will remain our best
option until TLS 1.0 usage drops an awful lot.

_______________________________________________
TLS mailing list
TLS@ietf.org
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2ftls&data=01%7c01%7cAndrei.Popov%40microsoft.com%7c6fb3e54eee074bb130fc08d31ae7f945%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=1VqipRFwf5mpoYunrkaM3Uy%2f22nZWtMGg5m27W72aBU%3d