Re: [TLS] Draft minutes for TLS at IETF 108

tom petch <ietfc@btconnect.com> Thu, 13 August 2020 11:33 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 338EF3A0BB3; Thu, 13 Aug 2020 04:33:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id osBR4hQ_rpNS; Thu, 13 Aug 2020 04:33:41 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on0706.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0d::706]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E00083A0BAA; Thu, 13 Aug 2020 04:33:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WyQEoqBwJnuunANukdJZaqu93BcSzs2h5F9phufpPc9SpkCAFtnHBagBF5ISYQOZkRkb3lPSZJbIU4x6R33hNirvzwUF+Jk6n6ayJz7h7HUbnHfbeKrrH+Yt+sJrRWY/O2CGTucsU+BdYbJQFjLobfqWZMR2ff4g12UYFpbmAB3+2HNyR5qw5RKTERdQXSaci3nV98ciBmi8NwcJ4Zvsu0bFLZW0JYYJ7ehIxTmJ3usDIQN+xPmBICwYKHd5+JDFFjpOW2q3VqUy4sDQQoTW+2Xcq/xF2sEKyh88sbZrcR3LIkLbfhrKpAVCLCs4s/hFC6JG1LQGgJ3JjvbbB8abmQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YA6rEu1NAFViAW51DqOJ5hs/NTlit0pg2NuYL8VbrYY=; b=jxX7WxEtrre7bKSxErfhtOMtj2uGAd3ijnUwTseV6o4/q8gWbUEbrpzZKVlCk69yQdwEIsoknOlXtmWtsJrpY/EFYrUTrO4M83CofE8BJYGyBuwHOx71uktsuJYpAvCshjbVxEcaVqvryzrooN1R5Ln47vm/P8UiciDF5902HWcS/Ddj6DnjScr06+1uHHSaDbKRM2JwFcR+7KaDwhK2HDb3LvFAWxvnFsrrlawELWQPWUwWhZB24hMAJy04GxIJoubTCPrxIDOPNK1cE943TNZMceP8BJJNdPjQ7dmy+2f2kV27UtsZ+SOZAhCBbT0VvrufePD1n4YrxpdXuwp4qA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YA6rEu1NAFViAW51DqOJ5hs/NTlit0pg2NuYL8VbrYY=; b=GNw1kL7DU6QYOHeGsJm10r71XxiD5xjVJIQHKmol8B2vEmFynQAmHspJn/yQjxifMM5+8mckpl/VLR36HFC0UxzEc8aY+9LmEDaxPUmr69k5F8NJ/u2uQmgKElNdWJL1cSic9or4WOXAnWa37iL4l6RMBpZ7Jv8gJiG7+9e+pu8=
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com (2603:10a6:20b:134::11) by AM7PR07MB6867.eurprd07.prod.outlook.com (2603:10a6:20b:1be::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3305.10; Thu, 13 Aug 2020 11:33:38 +0000
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::b570:437a:db46:400a]) by AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::b570:437a:db46:400a%9]) with mapi id 15.20.3283.014; Thu, 13 Aug 2020 11:33:38 +0000
From: tom petch <ietfc@btconnect.com>
To: Benjamin Kaduk <bkaduk@akamai.com>
CC: Christopher Wood <caw@heapingbits.net>, "TLS@ietf.org" <TLS@ietf.org>, TLS Chairs <tls-chairs@ietf.org>
Thread-Topic: [TLS] Draft minutes for TLS at IETF 108
Thread-Index: AQHWZPy7jdLuVcrmF0WE7yzSkQ7obqkoTNkAgAEPGSWACd11gIACw9JS
Date: Thu, 13 Aug 2020 11:33:38 +0000
Message-ID: <AM7PR07MB62483161975C90725F73705AA0430@AM7PR07MB6248.eurprd07.prod.outlook.com>
References: <7f7f3878-446c-4f95-9cdd-cde6bb955134@www.fastmail.com> <c8e841ec-1bbf-412b-bb3c-ee8ecc4f1adb@www.fastmail.com> <AM7PR07MB624877C5210063BC88E692EBA04B0@AM7PR07MB6248.eurprd07.prod.outlook.com>, <20200811170601.GH20623@akamai.com>
In-Reply-To: <20200811170601.GH20623@akamai.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: akamai.com; dkim=none (message not signed) header.d=none;akamai.com; dmarc=none action=none header.from=btconnect.com;
x-originating-ip: [81.131.229.35]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8b61d968-d344-48a3-7d71-08d83f7cb900
x-ms-traffictypediagnostic: AM7PR07MB6867:
x-microsoft-antispam-prvs: <AM7PR07MB68674388C1A154AF4D62D33CA0430@AM7PR07MB6867.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2Jvreqa1UqKd6n8PwiM5vr+vRAwL/AjlLJMTNknCcMVt3N6VUVS2fAXu24DwG57FQsiUSO5n3y5JO8kfWcDQn1Sz6raJ5ZoT7SBjYycpEVUViWgJjEZBoNG2DKzy05oxdtxrOrcb2bXBOKCqqm61Fk03wyZxDHt67inv/TDyB/XgnwtuohtIvPxyEzDpdKIJUC/p2umSTtRYWwQmTS8e3vbpj7C0r/eUx9qAmpwsYsbo9ZnJz80QnNtbjiOr25+G6B4+JoH1kG4GYzhMf9rb+9U8UeBpcxFwJGPdzZsp4Hw2wMY0mS88roAtBpSSzuOhX7FOHhq5u16BuVoo7o5G/kno5T6R/oDkACwR+35O2vt/YN6zoMB/PlrpYlc+gPQYZzEbvSjZ+MggLjmXlI4Lxg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR07MB6248.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(366004)(396003)(346002)(376002)(39860400002)(52536014)(8936002)(91956017)(5660300002)(33656002)(86362001)(83380400001)(66574015)(26005)(478600001)(8676002)(6506007)(186003)(6916009)(316002)(64756008)(66946007)(66476007)(66556008)(76116006)(7696005)(66446008)(55016002)(9686003)(966005)(2906002)(54906003)(71200400001)(4326008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: vFy61EAySsSRxQ2Sho7xzVmTORCdaFLkqXzsfuuUKOtZQaC//tC9dbz3a8F02shoItBPiuuoEY1cros2DATls9xjrL8mu+IgXK1Q1RDYsGb67rrNti00UUnLghjj2DbC1TfFShmAcNcnDheCJh7/0H+RqqG4S/yGIwrp2paFpK117yP4OC7SYZ/XvfXnXKxHaK0DuUF1LHHHsYgSqZV5xOA8o0kbqpQ0P71AvbQooxzpDa3WXxEDZAQ7FQA+pq1gaL1sU9PC5fbril8MyfE+N22BSeN+VV/bCNaX4ogfilET1D0AbkRWKepIN6ED8hkvN6fTV1/FUEjwfEfKT2Y96dDygIUXNIoVsJ5ImuG1imtWTWUpNdHEDCb31QgyIHPi7h8T+BGRZoXRqEJjjJBpNIth1umgxcMk7hyM7N7aWS2Etqwst9thUZ5wg/xOMYvVaoqBcqeMX/luFALyL3If31/cZi6fLk3QvuxHK2WY3vMzi7T/TeCagCO5LVbAvgfpVFTCXGsv3kJw7BvbSLjRI4rNo6TAZNw0tFGpeC7vV3t0EG45NwXiSZA0ah00UImylydL/5KwfsTMD8E4xcl9eNCqkoh3Mcb+niKepwtFdoQHBIZnOfb2QPZWEbGDO4YZOMA8Ub8l+6r2SNEcLOIYiw==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR07MB6248.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8b61d968-d344-48a3-7d71-08d83f7cb900
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Aug 2020 11:33:38.4002 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: LeYnGVd0HDTcOK61OlJ+EgM98bGlmROWt2IuF8lhBxK2L568RN7EPFOwHVcMaDngNtKaee34k6L/eEDtk7YfAQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR07MB6867
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/pxCMTUIiOkkMIbWS6ej_eEe939Y>
Subject: Re: [TLS] Draft minutes for TLS at IETF 108
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Aug 2020 11:33:43 -0000

From: Benjamin Kaduk <bkaduk@akamai.com>
Sent: 11 August 2020 18:06

On Wed, Aug 05, 2020 at 10:30:39AM +0000, tom petch wrote:
> From: TLS <tls-bounces@ietf.org> on behalf of Christopher Wood <caw@heapingbits.net>
> Sent: 04 August 2020 19:16
>
> The official minutes are now up:
>
>    https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_minutes-2D108-2Dtls_&d=DwICAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=sssDLkeEEBWNIXmTsdpw8TZ3tAJx-Job4p1unc7rOhM&m=bJwecPEDnXCm7Huw2ovjHwHyzCjhyu2kGMG-qijduH0&s=ksaUzUpfyd4LFplcfnjfXdGBN-jTrMiqS2Z1vk_Iftw&e=
>
> <tp>
> What is Benjamin talking about at the end?
>
> It looks as if you are proposing action on all or some RFC that have TLS 1.0 or 1.1 as MTI, related to oldversions-deprecate but that is a guess from reading between the lines and that topic is a live one for me so I would appreciate clarity.

oldversions-deprecate is already taking action on all RFCs that have TLS 1.0 or
1.1 as MTI (there are some 80-odd documents in the Updates: header).  The
particular itesm I was mentioning in the meeting relate to various subsets of
those documents that may need some additional handling on top of the basic
"don't use TLS 1.0/1.1; use 1.2 and 1.3 instead" that is currently the content
of the updates.  Details are at https://mailarchive.ietf.org/arch/msg/tls/K9_uA6m0dD_oQCw-5kAbha-Kq5M/
So:

- RFC 5469 defines DES and IDEA ciphers that are not in TLS 1.2; the
  document as a whole should be historic

- The downgrade-detection SCSV of RFC 7507 is probably in a similar boat

- We should be more clear about "if the document being updated says you
  MUST use TLS 1.0/1.1, that part is removed"
<tp>
Benjamin

This is the bit I could not guess; the rest of the minutes I could guess but your explanation is much easier to understand.  I have been tracking 'diediedie', including the AD review, since it first appeared and more a comment on that for Kathleen and Stephen is that RFC5953 does not get a mention although since it is Obsoleted and the Normative Reference is to RFC4347 then that is a category that does not seem to fit in any of the paragraphs of the I-D;  Obsolete and TLS1.0 yes, Obsolete and DTLS1.0 no. 

RFC6353 I did expect to find; Internet Standard, STD0078, Normative Reference to RFC4347; the Security Considerations of that RFC say 'MUST NOT negotiate SSL 2.0' which might not be considered sufficiently strong for 2020 but how do you update a Standard?

Tom Petch

- No change proposed w.r.t. MTI ciphers (even though the old MTI ciphers
  are no longer considered very good)

Were there additional specific items you were unsure about?

-Ben