Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms
Andrei Popov <Andrei.Popov@microsoft.com> Tue, 12 January 2016 00:38 UTC
Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FBD91ACCC7 for <tls@ietfa.amsl.com>; Mon, 11 Jan 2016 16:38:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E16i83eVn4Mo for <tls@ietfa.amsl.com>; Mon, 11 Jan 2016 16:38:22 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0706.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::706]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F406E1ACC92 for <tls@ietf.org>; Mon, 11 Jan 2016 16:38:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=LC/k+zp4XvUblv2LdGLO3L08RvSgDjxJOzRknfkDBTk=; b=UuHE0FHKE1CWKwM3vvR0DklZ1OUkDwgUfBNLVq7beKintH+Pjlp0Y2ZJ8TCcG1BE7LB4xnxfdHlDv8GGKusmtMkE/srbqiS73I6rrJt1MYQ98H+JnbUOJThOSzo053/1UuN6Q182P2ma8hWSkXbQWpM7z6fIbelDYOJ/DX469gc=
Received: from BLUPR03MB1396.namprd03.prod.outlook.com (10.163.81.142) by BLUPR03MB1395.namprd03.prod.outlook.com (10.163.81.141) with Microsoft SMTP Server (TLS) id 15.1.361.13; Tue, 12 Jan 2016 00:38:02 +0000
Received: from BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) by BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) with mapi id 15.01.0361.006; Tue, 12 Jan 2016 00:38:02 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Martin Thomson <martin.thomson@gmail.com>, Kurt Roeckx <kurt@roeckx.be>
Thread-Topic: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms
Thread-Index: AQHRTJ4m/d32IOQTx0qUA0UaDUeUnZ73CGWAgAAAkdA=
Date: Tue, 12 Jan 2016 00:38:02 +0000
Message-ID: <BLUPR03MB1396949156F4CEE5BE9DDD018CCA0@BLUPR03MB1396.namprd03.prod.outlook.com>
References: <20160111183017.GA12243@roeckx.be> <CABkgnnVXF8UB91vH6PUmCxv950mVeUEwyOenCFhnqwTZpzPtHg@mail.gmail.com>
In-Reply-To: <CABkgnnVXF8UB91vH6PUmCxv950mVeUEwyOenCFhnqwTZpzPtHg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-originating-ip: [2001:4898:80e8:8::1d2]
x-microsoft-exchange-diagnostics: 1; BLUPR03MB1395; 5:ZTTKhovkKs/DCPpmm3qJ5/K90Sdvv/uOZKv9QVQQK0g3xMA4j8wDmR/HAmzOzSu4cdxhYc0BZ7avgPMzlW/E0y9Q3bUO8CO91Bj6xcRwM/7Y1Axz/BkpTOfl2ePhqIqEia69nxxWFeVWjRkfDErwsQ==; 24:8g35hBEV0bo4glvnHe1G3puT/4EDAOqwWNTro3mW3PE8fROGAZmvru0uJZZ9ca/JobZ5MhnxpcT95t/DVA38eKiA+upRfbvDX3QgD5kJjdc=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR03MB1395;
x-ms-office365-filtering-correlation-id: aa541afe-be06-49f4-00a1-08d31ae8a128
x-microsoft-antispam-prvs: <BLUPR03MB1395FFFDC22256C20A4630FC8CCA0@BLUPR03MB1395.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(189930954265078);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(5005006)(520078)(8121501046)(10201501046)(3002001)(61426038)(61427038); SRVR:BLUPR03MB1395; BCL:0; PCL:0; RULEID:; SRVR:BLUPR03MB1395;
x-forefront-prvs: 081904387B
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(13464003)(199003)(377454003)(24454002)(189002)(5001960100002)(106116001)(11100500001)(8990500004)(4326007)(5003600100002)(99286002)(5004730100002)(77096005)(33656002)(2950100001)(19580395003)(10090500001)(1096002)(86362001)(2900100001)(50986999)(2906002)(19580405001)(5008740100001)(6116002)(101416001)(15975445007)(86612001)(122556002)(97736004)(87936001)(81156007)(74316001)(5002640100001)(105586002)(1220700001)(92566002)(40100003)(106356001)(10290500002)(5001770100001)(586003)(189998001)(76576001)(10400500002)(76176999)(54356999)(102836003)(5005710100001)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR03MB1395; H:BLUPR03MB1396.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jan 2016 00:38:02.7235 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR03MB1395
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/uqj58qr27disGPPK8_pOZ9PTNoI>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jan 2016 00:38:26 -0000
Yes, our telemetry shows the same. The use of TLS 1.2 increases and the use of TLS 1.0 goes down, but it will likely be a while before we can disable TLS 1.0 by default in Windows. Cheers, Andrei -----Original Message----- From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Martin Thomson Sent: Monday, January 11, 2016 4:33 PM To: Kurt Roeckx <kurt@roeckx.be> Cc: tls@ietf.org Subject: Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms On 12 January 2016 at 05:30, Kurt Roeckx <kurt@roeckx.be> wrote: > After the SLOTH paper, we should think about starting to deprecate TLS > 1.0 and TLS 1.1 and the SHA1 based signature algorithms in TLS 1.2. Let's be clear about this: TLS 1.0 represents far too high a proportion of our usage to remove it at this point. TLS 1.2 growth is still solid, but it really isn't that long ago that we turned on TLS 1.2. The encouragement we give people to upgrade will remain our best option until TLS 1.0 usage drops an awful lot. _______________________________________________ TLS mailing list TLS@ietf.org https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2ftls&data=01%7c01%7cAndrei.Popov%40microsoft.com%7c6fb3e54eee074bb130fc08d31ae7f945%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=1VqipRFwf5mpoYunrkaM3Uy%2f22nZWtMGg5m27W72aBU%3d
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… David Benjamin
- [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature… Kurt Roeckx
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Peter Gutmann
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Tony Arcieri
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… David Benjamin
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Peter Gutmann
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Yuhong Bao
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Andrei Popov
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Viktor Dukhovni
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Andrei Popov
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Watson Ladd
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Martin Thomson
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Andrei Popov
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Bill Frantz
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Samuel Neves
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Peter Gutmann
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Watson Ladd
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Peter Gutmann
- [TLS] MD5 diediedie (was Re: Deprecating TLS 1.0,… Dave Garrett
- Re: [TLS] MD5 diediedie (was Re: Deprecating TLS … Yuhong Bao
- Re: [TLS] MD5 diediedie (was Re: Deprecating TLS … Loganaden Velvindron
- Re: [TLS] MD5 diediedie (was Re: Deprecating TLS … Viktor Dukhovni
- Re: [TLS] MD5 diediedie (was Re: Deprecating TLS … Dave Garrett
- Re: [TLS] MD5 diediedie (was Re: Deprecating TLS … Tony Arcieri
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Karthikeyan Bhargavan
- Re: [TLS] MD5 diediedie (was Re: Deprecating TLS … Stephen Farrell
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Martin Rex
- Re: [TLS] MD5 diediedie (was Re: Deprecating TLS … Hubert Kario
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Karthikeyan Bhargavan
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Hubert Kario
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Peter Gutmann
- Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signa… Hubert Kario
- Re: [TLS] MD5 diediedie (was Re: Deprecating TLS … Dave Garrett