Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1.1"

"Christopher Wood" <caw@heapingbits.net> Wed, 05 June 2019 15:20 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AA441201B3 for <tls@ietfa.amsl.com>; Wed, 5 Jun 2019 08:20:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=qFfLNBCA; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=2Qxm7Jt+
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MZhRQ6z7erUC for <tls@ietfa.amsl.com>; Wed, 5 Jun 2019 08:20:36 -0700 (PDT)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0325912028B for <tls@ietf.org>; Wed, 5 Jun 2019 08:20:34 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 3AFCD224E7 for <tls@ietf.org>; Wed, 5 Jun 2019 11:20:34 -0400 (EDT)
Received: from imap4 ([10.202.2.54]) by compute6.internal (MEProxy); Wed, 05 Jun 2019 11:20:34 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm1; bh=jdzQRHw5f+b3THPpW1wfTqlu8TgZQvY A59c9AI7zrvQ=; b=qFfLNBCA7kDbqGGgHXEMqOW7JbWTc+WdeeOTZiwa2cbfz25 p67qqJug1/WCeZhf1eKQ5+GWGZAZ8JiOE6NyE1vHKCDhoJuysJeOinBnXExloLxR aGl8cp5PhYR64Emlab9fy+Tf4zZ/xfZcLOSA9pXGD5TBAdVUcWLnBKNd/5J4wqsl Jjw8Pbkr47l2vZVKQiBsqKfXfg+QYXxgJSKWK0f0qJBiQnRIF/J34kmQDKJL6dPQ etX8V4c5I4nh2uME6zvARPStWVOZozS5kWuycDq1bdEXYEtBrlmHM9EkmW6Qo58l v0sMQaPTyq43Bj/3tdpLaNTwh599pyfYIwap99g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=jdzQRH w5f+b3THPpW1wfTqlu8TgZQvYA59c9AI7zrvQ=; b=2Qxm7Jt+W2xCY2LzzxBrBm KAoVb7QURcy952kxlq2pvLb6eaQUa1UJGUiWW2FsBmuEZLtsnRoG8OdJv4WZk69M pchIXRll2+niHtw9hA5CWHmY5lMWunNiTCgsr0FC1c/LUERhPDy+XLqqcL5HtnJc sHoKnSxN/QHLf+cHbBqyibt5Wk/WKuuihsEhWxiBD8o0TwMoZlJYDAt4Fkz+zSQK itqT0MbjXCp24dYIGBTjLW0xKb1k2Knb/D1JYMbNqmqfqk0AXc02WlnnpA/zWBeR 9zlX+KOsKkKTfg8K1D5/NnCmh4S8RONOT1chctHCHWuW3xaAmqmm1418hUQ9VNfw ==
X-ME-Sender: <xms:wd33XN1YNv_SRiSkaVYrIpdh2wDz_CNoTPzrdon1btfsa9jdjq5isw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduuddrudegvddgkeekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedfvehhrhhishhtohhphhgvrhcuhghoohgufdcuoegtrgif sehhvggrphhinhhgsghithhsrdhnvghtqeenucffohhmrghinhepihgvthhfrdhorhhgne curfgrrhgrmhepmhgrihhlfhhrohhmpegtrgifsehhvggrphhinhhgsghithhsrdhnvght necuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:wd33XIVZ27AvqfSm25zls5IQrmoBFQuBoAKHhikclRuhANBQ4C_3Cg> <xmx:wd33XI6IGf6AdZUy2bB-nUCDkt5oh8xjgOEKLmORPR7NvSGSpHAgMA> <xmx:wd33XPLBdTf0jKwUw3fxnIjTbsGnX2AWIm9jKIfKvAEKqjwjH4kUbQ> <xmx:wt33XI8fqTrr6ASHBGhxBIbz0inH0-2fi4jsmkiGHRN32DJqwwUZiQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id B5CDA3C00A0; Wed, 5 Jun 2019 11:20:33 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.6-650-g74f8db0-fmstable-20190604v3
Mime-Version: 1.0
Message-Id: <d4e3c9d3-4eaf-4c88-a009-cc93c5246fa3@www.fastmail.com>
In-Reply-To: <1558344512756.70167@cs.auckland.ac.nz>
References: <28511b10-8f6a-4394-95a9-5188130f7b58@www.fastmail.com> <29960808.K0e8lGuAtk@pintsize.usersys.redhat.com> <20190514145249.C6DDB404C@ld9781.wdf.sap.corp> <12276928.OsXPxM6NY9@pintsize.usersys.redhat.com> <20190514205258.5C457404C@ld9781.wdf.sap.corp> <1558344512756.70167@cs.auckland.ac.nz>
Date: Wed, 05 Jun 2019 08:20:33 -0700
From: Christopher Wood <caw@heapingbits.net>
To: "TLS@ietf.org" <tls@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/xyMXqKQUZeztD5WupvI0uBp4OLA>
Subject: Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1.1"
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jun 2019 15:20:39 -0000

To close the loop on this, the chairs think this draft should remain solely focused on deprecating legacy TLS versions, not legacy hash functions. Algorithm deprecation may happen elsewhere, be it in draft-lvelvindron-tls-md5-sha1-deprecate or another draft.

Best,
Chris, Joe, and Sean

On Mon, May 20, 2019, at 2:29 AM, Peter Gutmann wrote:
> Martin Rex <mrex@sap.com> writes:
> 
> >BEAST is an attack against Web Browsers (and the abuse known as SSL-VPNs), it
> >is *NO* attack against TLS 
> 
> That actually applies to an awful lot of recent attacks on TLS - they're
> attacks that rely on web software that's actively cooperating with the
> attacker, not attacks on TLS per se.  Similar issues affect numerous attacks
> on CMS (branded as S/MIME in email) and OpenPGP, they require mail software
> that actively cooperates with the attacker.
> 
> For any new attack on a protocol like TLS, you really need a three-stage
> summary of what's vulnerable:
> 
> 1. Web-based use of TLS: Pretty much everything.
> 2. Non-web-based use of TLS: Very little.
> 3. Non-web-based with a few basic mitigations (EMS, EtM): Nothing, or 
> close to it.
> 
> Peter.
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>