Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice

Rob Sayre <sayrer@gmail.com> Fri, 04 December 2020 05:32 UTC

Return-Path: <sayrer@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33B6F3A0B22; Thu, 3 Dec 2020 21:32:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nMLwjuW8Sf2x; Thu, 3 Dec 2020 21:32:39 -0800 (PST)
Received: from mail-il1-x133.google.com (mail-il1-x133.google.com [IPv6:2607:f8b0:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 944F33A0AF6; Thu, 3 Dec 2020 21:32:39 -0800 (PST)
Received: by mail-il1-x133.google.com with SMTP id q1so4165425ilt.6; Thu, 03 Dec 2020 21:32:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ouOVLuU2y3WN+oRBM3ykZrf1bNtksnyDUZ4hvO1+jko=; b=T49+vG/xs4G+P0AnDW1c/l2eAKEUQXN0K0AYra+XEJO9tk6a4QBFeCwGLRZek2ekpu R+Bs2EZkYoo7sfJhEEXIVH21MmVAuhD4IRqjLohTZq3YBkXD6cWLsuT03Zf4KultIN+0 dWTyStgiKj/t37msXFNm/HRioySNIKvqbuBMF7CJUa8DJ8EzAUIixMiHKhd4KD2Lukou NVzKJC3Tmpp02OIows60EwAl3adsMtWQEDTdX811NfRyM7OElITVhbFv1PSQt5ZySEoX gypn/EP32IfH5NC2K2KDaEkvJCM1VXL3dhzMQwSt7sAlZBAiJkFvZTDJrFiw/2y4Xmje GAqQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ouOVLuU2y3WN+oRBM3ykZrf1bNtksnyDUZ4hvO1+jko=; b=ZNxQv4gKo47pHh0zGPZAwHOlv9WszPSwh5rLBX+J34iyCnl148/dfs96RinetOx6Sd 5KcY2cs99en2Ilx416iP5QV/na3q0/ubU1D24fsVU64gZWNXDDqgh4nOaVdzQACM2hHT ZuEcTDidsoZhLGNIZz16sT8Lb/rhpEOQztON7R8SCHhGxfzCYVBqJcziHVUkoN29ksDY zNuGpcB+MpCVRin/XKArfGOvZF7QxxU5hpayHzR1zFZ6eGzwhrfD/dTP10QTj7YF/1sP oEGPaMvFVN85MW76DcrMXi4tJl4rB6ugQ+D+OWvEgdknyJKhde7lQQGrWSvMKCdQcBEN n3qw==
X-Gm-Message-State: AOAM531HbtF6cutAFaNjylqVXy5T5z4m4XB05hgOQyGxBs/+JCOpo49R n4IC20W1DHjAbuSlqYZI2BSPdAI0yqreODQaots=
X-Google-Smtp-Source: ABdhPJzlH1UM2YaK6xoU0I4C4sPg4GUe93T6nsKSvCTpjKln0YMcVXgiq0aDDaYQECSr4r/Fll1JLUyXs3opQZRe0LI=
X-Received: by 2002:a92:50b:: with SMTP id q11mr3992186ile.49.1607059958572; Thu, 03 Dec 2020 21:32:38 -0800 (PST)
MIME-Version: 1.0
References: <160496076356.8063.5138064792555453422@ietfa.amsl.com> <49d045a3-db46-3250-9587-c4680ba386ed@network-heretics.com> <b5314e17-645a-22ea-3ce9-78f208630ae1@cs.tcd.ie> <1606782600388.62069@cs.auckland.ac.nz> <0b72b2aa-73b6-1916-87be-d83e9d0ebd09@cs.tcd.ie> <1606814941532.76373@cs.auckland.ac.nz> <36C74BF4-FF8A-4E79-B4C8-8A03BEE94FCE@cisco.com> <SN6PR02MB4512D55EC7F4EB00F5338631C3F40@SN6PR02MB4512.namprd02.prod.outlook.com> <1606905858825.10547@cs.auckland.ac.nz> <EEFAB41B-1307-4596-8A2E-11BF8C1A2330@cisco.com> <BYAPR14MB31763782200348F502A70DA4D7F30@BYAPR14MB3176.namprd14.prod.outlook.com> <SN6PR02MB4512B95842251AE4C04B199CC3F30@SN6PR02MB4512.namprd02.prod.outlook.com> <BYAPR14MB31765FD24F4DFD90F81AEE2BD7F30@BYAPR14MB3176.namprd14.prod.outlook.com> <SN6PR02MB4512CBA9E4BF6AAC778BC674C3F30@SN6PR02MB4512.namprd02.prod.outlook.com> <DM6PR14MB31789349B737961728B7691ED7F30@DM6PR14MB3178.namprd14.prod.outlook.com> <CACsn0ckvoqZ5-JPRkOXp2Mw2zeTOdyCYLvX1NV1waJ-yidTwMQ@mail.gmail.com> <SN6PR02MB45129E647485BA5794D5CF4EC3F20@SN6PR02MB4512.namprd02.prod.outlook.com> <MWHPR02MB2464CD5D5B7568E9EAC58B26D6F20@MWHPR02MB2464.namprd02.prod.outlook.com> <DM6PR14MB3178EC0521427BF7C3523CACD7F10@DM6PR14MB3178.namprd14.prod.outlook.com>
In-Reply-To: <DM6PR14MB3178EC0521427BF7C3523CACD7F10@DM6PR14MB3178.namprd14.prod.outlook.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Thu, 3 Dec 2020 21:32:27 -0800
Message-ID: <CAChr6SzvQK+exfgYEwfVNknMjr-Y-UJ4A7k0DkOkL9wmLQ84aQ@mail.gmail.com>
To: "Ackermann, Michael" <MAckermann@bcbsm.com>
Cc: "BRUNGARD, DEBORAH A" <db3546@att.com>, Eliot Lear <lear=40cisco.com@dmarc.ietf.org>, Peter Gutmann <pgut001@cs.auckland.ac.nz>, "STARK, BARBARA H" <bs7652@att.com>, Watson Ladd <watsonbladd@gmail.com>, "draft-ietf-tls-oldversions-deprecate@ietf.org" <draft-ietf-tls-oldversions-deprecate@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "tls-chairs@ietf.org" <tls-chairs@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f6ad0305b59ccd66"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/vlLvD3q9npLDn9CcngAmCUx-sOQ>
Subject: Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2020 05:32:42 -0000

Hi,

What is the definition of “enterprise”?

Thanks,
Rob

On Thu, Dec 3, 2020 at 7:48 PM Ackermann, Michael <MAckermann@bcbsm.com>
wrote:

> Deborah
>
> Thanks so much for your informative and positive message.
>
> I have not followed the OPs area too much, but will make an effort to do
> so now.   Any specific drafts you might suggest, I will review.   In
> particular,  I am interested in what specific IPv6 document from the OPs
> area you refer too?
>
>
>
> I took a look at the ISOC IPv6 doc you listed.   Interesting but it
> appears to be quite old.   Do you feel it is still relevant?    Enterprises
> need a lot of info on IPv6 and I want to point them in the most effective
> directions.
>
> By increasing visibility, do you mean ways to get Enterprises more
> involved or aware of IETF?     I can sadly say none that have yet been
> effective, but I do intend to keep trying.   Perhaps you have ideas?
>
>
>
> And finally, I checked out your Pragmatic Link.  Still laughing, even
> though it unfortunately seems to have very little relevance to my world 😊
>
>
>
> Once again I really appreciate your constructive comments and
>  information.
>
>
>
> Mike
>
>
>
> -----Original Message-----
> From: BRUNGARD, DEBORAH A <db3546@att.com>
> Sent: Thursday, December 3, 2020 5:10 PM
> To: STARK, BARBARA H <bs7652@att.com>om>; 'Watson Ladd' <
> watsonbladd@gmail.com>gt;; Ackermann, Michael <MAckermann@bcbsm.com>
> Cc: 'Peter Gutmann' <pgut001@cs.auckland.ac.nz>nz>; 'Eliot Lear' <lear=
> 40cisco.com@dmarc.ietf.org>gt;; 'last-call@ietf.org' <last-call@ietf.org>rg>; '
> tls-chairs@ietf.org' <tls-chairs@ietf.org>rg>; '
> draft-ietf-tls-oldversions-deprecate@ietf.org' <
> draft-ietf-tls-oldversions-deprecate@ietf.org>gt;; 'tls@ietf.org' <
> tls@ietf.org>
> Subject: RE: [Last-Call] [TLS] Last Call:
> <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and
> TLSv1.1) to Best Current Practice
>
>
>
> [External email]
>
>
>
>
>
> As Barbara builds her confidence for the IETF list and while we have
> Mike's attention-
>
>
>
> Mike, you commented "More, it is a lack of understanding of how things
> work within Enterprise Networks and the lack of Enterprise engagement in
> Standards Development processes. And finally, this may not be a gap that
> the IETF should care about or address, but someone should, IMHO."
>
>
>
> I wanted to +1 on to Barbara's message - many of us will say - "we do
> care". As IETF is "huge" (for many operators/users that is the biggest
> bottleneck on participating), not sure if you follow the ops area (I'm a
> routing AD, but ops always has my attention😊), they have several
> documents on enterprises. Currently a document on the impact of TLS1.3 on
> operational network security practices. They also have an IPv6 one. I think
> in all the Areas (I know best the routing area), we encourage operators and
> users to participate. If you have suggestions - we are interested.
>
>
>
> How to increase visibility? Do you have suggestions? Liaisons? ISOC? When
> RFC7381 (Enterprise IPv6) was done, it was an ISOC blog:
>
>
> https://www.internetsociety.org/blog/2014/10/new-rfc-7381-enterprise-ipv6-deployment-guidelines/
>
>
>
> Possibly this draft should be a blog? Suggestions?
>
>
>
> Thanks again for the interesting thread- Deborah for some humor - I'm
> still stumbling on the draft's requirement "Pragmatically, clients MUST NOT
> send". I'm not sure operationally how to ensure pragmatic client behavior -
> maybe a "pragmatic client" profile😊 I'll save that question for my
> ballot comment. And of course a google of pragmatic is very entertaining:
>
>
> https://www.google.com/search?q=pragmatic&tbm=isch&source=iu&ictx=1&fir=UnkLahjDGGZYtM%252C2VmBAP_98FtW_M%252C%252Fm%252F0c6h9&vet=1&usg=AI4_-kQHPVOk9B-3gfzcXUP1bBCiuOQ5TQ&sa=X&ved=2ahUKEwjxqN-W1rLtAhXKhK0KHWuFBGYQ_B16BAgrEAE#imgrc=WzKrFQWEFvjiWM
>
>
>
>
>
>
>
> -----Original Message-----
>
> From: last-call <last-call-bounces@ietf.org> On Behalf Of STARK, BARBARA H
>
> Sent: Thursday, December 3, 2020 12:03 PM
>
> To: 'Watson Ladd' <watsonbladd@gmail.com>om>; 'Ackermann, Michael' <
> MAckermann@bcbsm.com>
>
> Cc: 'Peter Gutmann' <pgut001@cs.auckland.ac.nz>nz>; 'Eliot Lear' <
> lear=40cisco.com@dmarc.ietf.org>gt;; 'last-call@ietf.org' <last-call@ietf.org>rg>;
> 'tls-chairs@ietf.org' <tls-chairs@ietf.org>rg>; '
> draft-ietf-tls-oldversions-deprecate@ietf.org' <
> draft-ietf-tls-oldversions-deprecate@ietf.org>gt;; 'tls@ietf.org' <
> tls@ietf.org>
>
> Subject: Re: [Last-Call] [TLS] Last Call:
> <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and
> TLSv1.1) to Best Current Practice
>
>
>
> Ow! Mike is my friend. Don't go dissing my friend!
>
>
>
> I think the problem in communication we've just experienced is because
> Mike strayed away from Last Call discussion on a specific document, to
> asking/discussing a more general question of how IETF can better
> communicate with enterprises and perhaps even engage with enterprises to
> make it easier to operationalize protocols inside enterprise networks. I
> didn't see Mike suggesting any changes to the draft in Last Call, relevant
> to this question. ?
>
>
>
> I'd like to suggest that maybe we could discuss this a little more on the
> ietf list? But not here.
>
> I'll see what happens if I start a thread over there (ietf@ietf.org) ...
>
> Barbara
>
>
>
> [Let me drum up my courage first. Thinking about posting to that list is
> much more stressful to me than, for example, thinking about bungie jumping
> off the Macau Tower -- an experience I highly recommend.]
>
>
>
> > > Barbara,
>
> > > Thanks.
>
> > > And I think I was aware of all you state below regarding TLS, and
>
> > > apologize
>
> > for any related confusion regarding IPv6, even though, for the
>
> > purposes of my comment, they are similar.
>
> > >
>
> > >
>
> > > I don't disagree with anything you say on the TLS subject,  which is
>
> > essentially that prior versions of TLS may be considered insecure,
>
> > etc.  and should be deprecated.....
>
> >
>
> > Shouldn't we publish a document saying that? It seems this would
>
> > represent consensus, even your view of the issue.
>
> >
>
> > >
>
> > > My associated point is that Enterprises are generally not aware of
>
> > > this and
>
> > that it is not currently on our Planning or Budget Radars.
>
> >
>
> >
>
> > TLS 1.2 has been around for how many years? All versions of OpenSSL
>
> > without support have been EOL for some time. How many other CVE remain
>
> > to be found in them? FIPS, PCI etc are all very clear that old TLS is
>
> > going away. Browsers have supported TLS 1.2 for years. So has Windows.
>
> > This depreciation should be easy given the extent of support for TLS
>
> > 1.2.
>
> >
>
> > I bet that most services you run are already using TLS 1.2 or even 1.3
>
> > because the client and server have been updated.
>
> >
>
> > > Further, this means we are potentially years from effectively and
>
> > operationally addressing such issues.
>
> >
>
> > Let's be about it.
>
> >
>
> > >    And we must do so in conjunction with Partners, Clouds, Clients
>
> > > and
>
> > others.
>
> > > And my general, overall point is that the answer to addressing the
>
> > > above is
>
> > to find way(s) of making Enterprises aware and possibly assisting with
>
> > methods of addressing.     I think I also said this  problem is not
> unique to TLS
>
> > or IPv6.      More, it is a lack of understanding of how things work
> within
>
> > Enterprise Networks and the lack of Enterprise engagement in Standards
>
> > Development processes.
>
> > > And finally, this may not be a gap that the IETF should care about
>
> > > or
>
> > address, but someone should, IMHO.
>
> >
>
> > Your argument against the current text seems to be the following: we
>
> > have a problem. It is inconvenient for me that you will ask me to deal
>
> > with the problem. Therefore I would like the problem to not be
>
> > acknowledged.
>
> >
>
> > Perhaps I am being too uncharitable. But I fail to see how softening
>
> > the language eases depreciation, or what the consequence you fear
>
> > happening are. You're free to continue ignoring the RFC series. But
>
> > reality does not go away if it is ignored.
>
> >
>
> > Sincerely,
>
> > Watson Ladd
>
> >
>
> > >
>
> > > Thanks
>
> > >
>
> > > Mike
>
> --
>
> last-call mailing list
>
> last-call@ietf.org
>
>
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/last-call__;!!BhdT!1mNyW_HOYqxvO6jkrkE01zLoel9zrEb9Om34gLPLPqvikiDKKm4gJz3zSSrsDXk$
> <https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/last-call__;!!BhdT!1mNyW_HOYqxvO6jkrkE01zLoel9zrEb9Om34gLPLPqvikiDKKm4gJz3zSSrsDXk$>
>
> The information contained in this communication is highly confidential and
> is intended solely for the use of the individual(s) to whom this
> communication is directed. If you are not the intended recipient, you are
> hereby notified that any viewing, copying, disclosure or distribution of
> this information is prohibited. Please notify the sender, by electronic
> mail or telephone, of any unintended receipt and delete the original
> message without making any copies.
>
> Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are
> nonprofit corporations and independent licensees of the Blue Cross and Blue
> Shield Association.
> --
> last-call mailing list
> last-call@ietf.org
> https://www.ietf.org/mailman/listinfo/last-call
>