Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1.1"
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 02 May 2019 17:05 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D1E61204DA for <tls@ietfa.amsl.com>; Thu, 2 May 2019 10:05:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1IMwobd1Oh7P for <tls@ietfa.amsl.com>; Thu, 2 May 2019 10:05:07 -0700 (PDT)
Received: from mail-oi1-x22d.google.com (mail-oi1-x22d.google.com [IPv6:2607:f8b0:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28CD21204D6 for <tls@ietf.org>; Thu, 2 May 2019 10:05:07 -0700 (PDT)
Received: by mail-oi1-x22d.google.com with SMTP id d62so2201436oib.13 for <tls@ietf.org>; Thu, 02 May 2019 10:05:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=utyhgNUFSF5RTkg/isG3nZLo0RIUA4tX8SybytjcVMs=; b=dImlWoWTxmZWQ88t7ORrkVKYmcgb311PRGuxTIyu5Hy8lCT4AE5GvqFrwR3uxs0sP5 uvNFsdPkYSpaUQE8WWK59/fj7FaWOSnMAuLHGjCSgaSNaoHFZmSxkyGGJ1pCgwYRYCUs v7XrZ7ONBo/PSQUo1z+vAu7GVdyohlYeoDc4Bi+n5RsfjyxZFvFWbBv0+pYhMmM+2B8f 6q0sBp5lU4nuKbhS5R+4ZZrlaVcZSxln3WujGok3Tj6QNzEu8jSq1lRjCewh+OKz559o 8nISoHltidgy5D+bBEcVVn1YjIRaE9gniX25dGD78T1GK2/unfnL3M0feKQ5v5mnoCAk tApg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=utyhgNUFSF5RTkg/isG3nZLo0RIUA4tX8SybytjcVMs=; b=SB776g49zhen4qA25ii03sDSkCB4mUYPjeqeQqK8MR+87YVNiaOvcmsIHok5pO53GV 40KmxKfWO2GvI296JNvgLZwBMO4Xei98DZpK6im9NJiuiBH7gNwQGlzephVVq5Al4anC HNuXSARvJVcbjdamePwd+kR4pJKsSOhmMkpdC8evX5QAnYi04YjxZRcsjU+rpPcSM0ge aEFqAO3vjNuvIb5H4i2hQN+2vR8Smpzf2Jl4/cvoj914kNwrXfx7ZS7FX3baA1DUW3OE nKNH6zqNmh1eNLyADWfyY2P382sLqVPaovEof1V9O9WxxTH4Rr9hZIHL92RsaXi5LcQG IO2Q==
X-Gm-Message-State: APjAAAXxMFKySZQQfndw7i8FTO2Edzf2yhV5rPB9oki4MaRNhbbIoAuj kZMWEkgDjTgJsNdhga5J0Km/UgEt0t+ZOox1TdGDbBc4
X-Google-Smtp-Source: APXvYqzE/EBZ0ZsKJMQ+GokI3pkqE/e23WZRM1fqTCrl7fmvh9olra93qS3CSr+CLbQ8tCxl0ulox67VS9rHyJ8WYpw=
X-Received: by 2002:aca:3e56:: with SMTP id l83mr3000131oia.111.1556816706282; Thu, 02 May 2019 10:05:06 -0700 (PDT)
MIME-Version: 1.0
References: <28511b10-8f6a-4394-95a9-5188130f7b58@www.fastmail.com> <2EF7433E-DB94-497F-80D7-2A060097261B@dukhovni.org> <CADZyTkkJ63uq-Uukp00XAn+vFs6JtsNXF7stK=wbJpOvNBSs9g@mail.gmail.com> <5C3C015B-88B9-4502-861B-C59120B2F151@akamai.com> <D08B793B-3FE2-48A1-8ADD-C55C47300683@dukhovni.org>
In-Reply-To: <D08B793B-3FE2-48A1-8ADD-C55C47300683@dukhovni.org>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Thu, 02 May 2019 13:04:29 -0400
Message-ID: <CAHbuEH5rktvBSKFbYQUMEVu3cvOeJFPZnNZYx0gYVW3VCg_WGA@mail.gmail.com>
To: IETF TLS WG <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c22ac40587eaa2c2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/xDG4VabW2msvdRDqgg31DtDmgrk>
Subject: Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1.1"
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 May 2019 17:05:09 -0000
On Fri, Apr 26, 2019 at 5:29 PM Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > > On Apr 26, 2019, at 11:24 AM, Salz, Rich <rsalz@akamai.com> wrote: > > > > If they haven’t already moved off TLS 1 then maybe this document will > give the right people a push to do so. > > > > Nobody is going to arrest an MTA for non compliance. > > Of course. > > And as I said, I'd like to see the document move forward, I just > wanted to see whether there was any appetite for adding some > operator guidance. It's not an issue of internet policing, > rather it is a question of whether there should advice for > operators who are considering disabling the legacy protocols. > > The sound-bite version is: first raise the ceiling, *then* the floor. > > The advice would therefore be for everyone to first make sure that > their systems support at least TLS 1.2, and not just the now deprecated > versions. And then check whether the same holds true for their application > ecosystem and if so disable the protocols at that time. > > In unauthenticated opportunistic TLS where cleartext is used when TLS > handshakes fail, removing support for TLS 1.0 can reduce security in the > short term (some messages needlessly going in cleartext). Yes, this may > be what it takes to finally get the long tail procrastinators to upgrade. > > The operational question then boils down to timing: when is your > application > ecosystem ready to drop the training wheels. > > Anyway, it does not look like there's much interest in adding operational > considerations, which users will then perhaps learn about elsewhere if > need be. That's fine... > Thanks for your follow up assessment on this from the WG. It seems we are in agreement. I appreciate your review, consideration, and attention to deployment statistics for this move. Best regards, Kathleen > > -- > Viktor. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- Best regards, Kathleen
- [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1.1" Christopher Wood
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Watson Ladd
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Martin Thomson
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… John Mattsson
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Maarten Aertsen (NCSC-NL)
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Stephen Farrell
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Gary Gapinski
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Kathleen Moriarty
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Daniel Migault
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Viktor Dukhovni
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Loganaden Velvindron
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Hubert Kario
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Töma Gavrichenkov
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Salz, Rich
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Viktor Dukhovni
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Roland Zink
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Martin Thomson
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Christopher Wood
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Viktor Dukhovni
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Martin Rex
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Töma Gavrichenkov
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Kathleen Moriarty
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Kathleen Moriarty
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Kathleen Moriarty
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Kathleen Moriarty
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Kathleen Moriarty
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Kathleen Moriarty
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Martin Thomson
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Hubert Kario
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Kathleen Moriarty
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Martin Rex
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Hubert Kario
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Peter Gutmann
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Benjamin Kaduk
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Peter Gutmann
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Viktor Dukhovni
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Eric Rescorla
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Kathleen Moriarty
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Kathleen Moriarty
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Peter Gutmann
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Kathleen Moriarty
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Martin Thomson
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Hubert Kario
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Hubert Kario
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Töma Gavrichenkov
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Benjamin Kaduk
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Kathleen Moriarty
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Kathleen Moriarty
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Viktor Dukhovni
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Viktor Dukhovni
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… David Benjamin
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Martin Rex
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Peter Gutmann
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Hubert Kario
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Martin Rex
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Peter Gutmann
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Martin Thomson
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Hubert Kario
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Martin Rex
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Peter Gutmann
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Hubert Kario
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Martin Rex
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… David Benjamin
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Kathleen Moriarty
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Hubert Kario
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Martin Rex
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Peter Gutmann
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Christopher Wood
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Martin Rex
- Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1… Peter Gutmann