Re: [Tools-discuss] Phasing out TLS 1.0/1.1 on IETF services
"Eric Vyncke (evyncke)" <evyncke@cisco.com> Fri, 24 June 2022 06:40 UTC
Return-Path: <evyncke@cisco.com>
X-Original-To: tools-discuss@ietfa.amsl.com
Delivered-To: tools-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AF80C15AADF for <tools-discuss@ietfa.amsl.com>; Thu, 23 Jun 2022 23:40:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.608
X-Spam-Level:
X-Spam-Status: No, score=-9.608 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Iuo721oo; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=qJ+q00bR
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tKX-RqtVDgl4 for <tools-discuss@ietfa.amsl.com>; Thu, 23 Jun 2022 23:40:43 -0700 (PDT)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1148C15AADD for <tools-discuss@ietf.org>; Thu, 23 Jun 2022 23:40:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2374; q=dns/txt; s=iport; t=1656052843; x=1657262443; h=from:to:subject:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=GmKM8f6yHKWoPqrst2Fi8FvBZ41pWhtNxB7HQV1breU=; b=Iuo721ooJRx6nZjC/O7OryC8IEqLuEAnY9q5T+8hg44aRKzF9+PduMO9 mgUpIrOijUQ2Fnxyz0sag3c4U2J7BvojfthevnBeAr6/xYwDYyrKXHZU/ tvl4WYclXnIX7mjLIxuH95RVDB2lnbJs5dLu+z/0OIG9J3jnpCTWpnGha w=;
X-IPAS-Result: A0AyAQCyW7VimIoNJK1agQmBT4FSUn8CWTpEhE6DTAOFMYUKXYIlA5BPinWBLIElA1QLAQEBDQEBLAsLBAEBhQMCFoU0AiU1CA4BAgQBAQEBAwIDAQEBAQEBAwEBBQEBAQIBBwQUAQEBAQEBAQEJFAcGDAUOECeFaA2GQwEBAQIBAQEQEREMAQEFJwwPAgEIDgwCJgICAiULFRACBAESIoJbAYJlAw0jAwEOnwABgT8Cih96gTGBAYIIAQEGBAQygiOCOBiCOAmBESyBXYE5hDSHKyccgUlEgTwMEIJnPoI4KgEBgTcHAQEgF4M/N4Iujj2KSRw5AxotLxKBIG4BCAYGBwoFMAYCDBgUBAITEk0GHAISBQcKBhUOFBwSEhcMDwMSAxEBBwIJEggVKwgDAgMIAwIDKwIDFgkHCgMdCAocEhAUAgQRHgsIAxkeLAkCBA4DQAgLCgMRBAMTGAkWCBAEBgMILw0nCwMFDw0BBgMGAgUFAQMgAxQDBSQHAyEPJg0NBBsHHQMDBSUDAgIbBwICAwIGFQYCAhhWLg0IBAgEGB8kDwUCBy8FBC8CHgQFBhEIAhYCBgQFAgQEFgIQCAIIJxcHExgbGQEFWRAJIRYGKQoGBQYWAyNIJgUKOw8oMwE2PCwfGwqBGywJIhgDBAQDAgYeAwMlAhIUBiIBGwKcMTZPCQOBDSsZBwSWLasZCoNOiyCUdQQthUWjH5ZwIKFMhSYCBAIEBQIOAQEGgWIBghNwFTsqAYI9CUgZD445g1mFFIVKdTsCBgEKAQEDCYw5gkgBAQ
IronPort-PHdr: A9a23:lh0yhRZVRQh2KGqWcwmXtW//LTAphN3EVzX9orIriLNLJ6Kk+Zmqf EnS/u5kg1KBW4LHo+lFhOzbv+GFOyQA7J+NvWpEfMlKUBkI2skTlhYrVciCD0CzJfX2bis8S cJFUlIt/3yyPUVPXsjkYFiHqXyp5jlUERL6ZmJI
IronPort-Data: A9a23:JPsuwKn8EQHhBmwpNIOJLfPo5gylJkRdPkR7XQ2eYbSJt1+Wr1Gzt xIWDTyBPavZamujKdlxa4uw9ksOuJGBmNFlSwJr/ilhHltH+JHPbTi7wugcHM8zwunrFh8PA xA2M4GYRCwMZiaA4E/raNANlFEkvU2ybuKU5NXsZ2YgH2eIdA970Ug5w7Bj3tYx6TSEK1rlV e3a8pW31GCNg1aYAkpMg05UgEoy1BhakGpwUm0WPZinjneH/5UmJM53yZWKEpfNatI88thW6 Ar05OrREmvxp3/BAz4++1rxWhVirrX6ZWBihpfKMkSvqkAqm8A87ko0HOIgYkAJhxSFpN9aj 4tzhLqoZyIpH5SZzYzxUzEAe81/FaRC/LmCKn+lvInOiUbHaHDrhf5pCSnaP6VBpb0xWj8Ir KdecWtdBvyAr7reLLaTR/d9gM8gIeHgPZgUvTdryjSx4fMOEMqaE/2TtYUBtNs2ru8QIt/SP NVJUiNqXSyHZBBBEX5NA7tryY9EgVGmI2EH9zp5v5Ef/2/UyBc03Ln2O8fOYfSLSNlb2EGCq Qru/mnlDFQWPdqS4TaY8XKrmOnO2yThV+ov+KaQ//puhhiYwXYeTUBQXlqgqv7/gUm7Mz5CF 6AK0jISpq9s+G2nddbWGEOGkVickDsceuMFRoXW9zqx4qbT5g+YAE0NQThAdMEquacKqdoCi wHhczTBWGcHjVGFdZ6O3uzP9GrtZ0D5OUdHNHFaElpcizX2iNtr5i8jWOqPB0JcYjfdMDX0z jbiQMMW2OhL1JVjO0lWATn6b9+Er5zNSEs+4R/aGz/j5QJib4njbIutgbQ60RqiBNvGJrVil CFZ8yR70AzoJcrT/MBqaL5XdIxFH97fbFXhbadHRvHNDQiF9X+5Zpx36zpjPkpvOctsUWa3P RGL4VIJv8cMYiLCgUpLj2SZVptCIU/ISImNaxwoRoEmjmVZLVXep3g+OSZ8IUi0yxdx+U3AB XtrWZ/8USlFYUiW5DG3XOwamaQ63TwzwHi7eHwI50rP7FZqX1bMEe1tGALXNogRtfrYyC2Io 4c3H5bbkH13DbyhCgGJqtR7BQ5RchAG6WXe9pY/mhireFQ2QQnMypb5nNscRmCSt/8Pzr2Wr i/lAhIwJZiWrSSvFDhmo0tLMNvHNauTZ1piVcDwFT5EA0QeXLs=
IronPort-HdrOrdr: A9a23:hflZMKPmlyu//MBcT2r155DYdb4zR+YMi2TDiHoedfUFSKOlfp 6V8MjzjSWE9Qr4wBkb6Jy90dq7MA/hHPlOkMYs1NaZLUTbUQ6TTb2KgrGSugEIdxeOlNK1kJ 0QCZSWa+eAQ2SS7/yKmDVQeuxIqLLsncDY5ts2jU0dNj2CAJsQizuRfzzrdHGeMzM2YqbReq Dsg/Zvln6FQzA6f867Dn4KU6zovNvQjq/rZhYAGloO9BSOpSnA0s+6LzGomjMlFx9fy7Yr9m bI1ybj4L+4jv29whjAk0fO8pVtnsf7wNcrPr3NtiFVEESutu+bXvUlZ1SwhkFwnAhp0idsrD D4mWZjAy200QKWQoj6m2q15+Cq6kdQ15ar8y7nvZKkm72geNr/YPAx376wtXDimhEdVZhHod J2NyjyjesnMTrQ2Cv6/NTGTBdsiw69pmcji/caizhFXZIZc6I5l/1WwKp5KuZ3IMvB0vFvLM B+SMXHoPpGe1KTaH7U+mFp3dy3R3w2WhOLWFILtMCZ2yVf2CkR9TpT+OUP2nMbsJ4tQZhN4O rJdqxuibFVV8cTKaZwHv0IT8e7AnHEBRjMLGWRK1L6E7xvAQOHl7fnpLEuoO26cp0By5U/3J zHTVNDrGY3P1njDMWftac7hSwlgF/NKQgF5vsulaSR4IeMN4YDGRfzPWwTrw==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.92,218,1650931200"; d="scan'208";a="921801821"
Received: from alln-core-5.cisco.com ([173.36.13.138]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 24 Jun 2022 06:40:42 +0000
Received: from mail.cisco.com (xfe-aln-004.cisco.com [173.37.135.124]) by alln-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id 25O6egI6016834 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Fri, 24 Jun 2022 06:40:42 GMT
Received: from xfe-rtp-004.cisco.com (64.101.210.234) by xfe-aln-004.cisco.com (173.37.135.124) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14; Fri, 24 Jun 2022 01:40:42 -0500
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (64.101.32.56) by xfe-rtp-004.cisco.com (64.101.210.234) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14 via Frontend Transport; Fri, 24 Jun 2022 02:40:41 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MTgJIrG29aKX3mmy96/hqAcRGrH2WwT7hTYq0jscaLOhaLWZy543uYA7QiHshgym83esWCXDyaZaIWNeynDena3vkRa0TXTQLxRdIIA/pghA8SwGU+aJr9UiVxg260pBxFaQrGgwpCHfyjKyehN/Hbt6nj7DNq+05WdWR/es+SgvdZ8ibgw6Qj//mUXtfc5nycE6LjDSqa/1KaM+nqsWxYMTMRDvby4MmwHp/bECFw1BIRCqzYmL/6bVa0kehxmI6wpVMjM1mfImfqM3h16u3MqzeKTi/dfe8ShKjkrsjqXDUY9ffG+RjF6zh7KzomNJCkKsP+K+kWqKgoM39Dg7/g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GmKM8f6yHKWoPqrst2Fi8FvBZ41pWhtNxB7HQV1breU=; b=aur5tF6SzWPSXXqbWqyqKbPKPsqq3+EOKaHZ0mdpIxms4WxGvzId4glUcvdPDfEULatQD/YrDKGdB56mPj7wItU1v/9iuoiTKmNwzT/W3o/3E2iM34oGPpK2VGWCaWvBRwCveN7qpDn/KLKsSygB6meZtBBmo4oF9+t+l/J5kvplNaucaHxU+pm1CxBZ8+Ht8S06UBhMBVjykZG0ECe/9EsKDh2zoAW0htMYwiGW/+ISUNswYWmauN7t6FOYlQIvmNsK39jZ7607G3gFz3fNRZMqvwnxN6CFKrLon16F5WLQhz9nScIIPSacLqp+ZIIyVZJTDzvhiMJ8XM320aQ6+w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GmKM8f6yHKWoPqrst2Fi8FvBZ41pWhtNxB7HQV1breU=; b=qJ+q00bRcvwh/+FsHqaKBHZRN4VHLrCb05J3glHByvMrXQax01r3ypkjxtfSAElUcATffNJEDO6AQYJypq/DhBuQJoMoszdgaca3ajpiyiF0jkrVvLnWaB9CbKzKKS/Gkm4Z+yslN/+52lo09ivfn9JAsDLfMnVk74QY8UQg/Tc=
Received: from PH0PR11MB4966.namprd11.prod.outlook.com (2603:10b6:510:42::21) by BN6PR1101MB2194.namprd11.prod.outlook.com (2603:10b6:405:55::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5353.20; Fri, 24 Jun 2022 06:40:40 +0000
Received: from PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::3891:c0c9:3d21:bfe7]) by PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::3891:c0c9:3d21:bfe7%6]) with mapi id 15.20.5373.016; Fri, 24 Jun 2022 06:40:40 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Viktor Dukhovni <ietf-dane@dukhovni.org>, "tools-discuss@ietf.org" <tools-discuss@ietf.org>
Thread-Topic: [Tools-discuss] Phasing out TLS 1.0/1.1 on IETF services
Thread-Index: AQHYh45+HYxpBNqPIkKZfpMLfqRlJq1eFUyAgAAnwIA=
Date: Fri, 24 Jun 2022 06:40:40 +0000
Message-ID: <9682CAB4-D241-4248-A684-7E282BE6F3E6@cisco.com>
References: <492E44F3-68AB-4252-925E-53A48D5D16FA@cisco.com> <YrVXL7p0K7uaWndI@straasha.imrryr.org>
In-Reply-To: <YrVXL7p0K7uaWndI@straasha.imrryr.org>
Accept-Language: fr-BE, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.62.22061100
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: fb8c5944-dfb8-4c98-f6ea-08da55ac7485
x-ms-traffictypediagnostic: BN6PR1101MB2194:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ytx5+mkf93dQNKmQwSV5B204yn0KN1Q5uR0sSFVH1c/VRPD211MDkEqftMgh7z90X9NqDUkiVfnBtVc5OLGLuL87wo5wnrOjZJ2+wCnCPi60WOX7hGsV+7YxWD+a28GHP9aQDvJn+0/rKOFaIOxdbKdM6bwTczx7QKagyvuMNiAe6+jHPru3ZX/cS0pK3251VZcAU+xI9BGels4/oF4ZGRgqFUXDIBfBLwc38IYlfs1DcquAOgbqr5sJm+R7HldWEwFLiD8rLb9EOvezP4mvA6hFSYB14U60R/PA5e3LFdZEzSIxMty80y7gPnbl/kRhaHMSV+321GTjo97cWkHvTppiX0W1GdSCU8Q/DFgfVoKiKRPx+hvwJ3wD8c3DWoRmqROYD9lHREA1m4ZJjZdcq9n5azDws/aAeM1J/XhcSg6qSbLIgjZVk8pObu0mAG8gdOwazxKJeoPUxCuTQY3g5P37O13iZeSn77RUxXyNvxMcvxnLn31MzjbHtNsY6wjlZp5HMHr5vI/Ye+gVVsFPKQ49XFs/LbXoKQf1K3wSEGOtf7ZTfWDfjrkwnHUrxoYLC99xzOJiVQ3S+IK4MW5Fwle38U91V7rD7gBrsxYtSxiyuhfwjSy/klcIjZA+okAdwexphLJNtgY7lOgVEChPmd12UQqnuhlZJ/FjWCqZvczcfyQNAqrCnaGGencB4vmqCfxa+PpYsQtCGsTZ2IDFbzQ/H27HZr+QQfp4h8tL+oF1Cu3CRIbC/F7mbcznJV+JbdV51kPRfONio/XgGr6mhrXDkZ8H0qgDXbOJ8xMak98KAwTPTlAFyHisI++MOlwNcKcgWpnlDeLnc/EJvrvTeBWYQwPx3IoNXl861h3N05k=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR11MB4966.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(366004)(39860400002)(376002)(346002)(396003)(136003)(91956017)(2906002)(6506007)(66556008)(316002)(6512007)(8936002)(66946007)(71200400001)(478600001)(86362001)(966005)(36756003)(110136005)(76116006)(5660300002)(6486002)(66476007)(66446008)(8676002)(186003)(33656002)(83380400001)(64756008)(122000001)(38070700005)(41300700001)(2616005)(38100700002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: WYO6UTzjOnBME0oh42C4/5HRO/BXsmreUtz5pYymeWpwbMRC5cqapgA/KWCVWsrN/jBLrV5FO85RwhJGJ5PQRk3NfulpdM1BvVS959uL1felJYyfla26izfCSCpBFuPYhc+I8oXNUc67+X4uzcf6Hw8UtzjKj/kC5aWlgUzkMf9+iTgbDDFggyZpf4oqKta1R4q8ItaBdluyo1rKumUmE6VTldjSWUhIsB5sS7bYC5Rx3gWooYKuGrBHu4B5PzCtMlf6k6/ZjLBqrbbP/KD4PVxCgA/7d5+xPbtzdLjzKm12E1zMGlwrHto+aFTvbUcUNfvcBo2PhoJVsULjZTOp3+Wg9HA4vzie9bDUifbFvYzNJklmMQl0RUuZsCVnQZUjHqXqt/kNpIOIQRo2r9aN8G2hWuLmwve8KKXCUV9gm6rj2ZUI29mc6kCMN83DQValRzfn/MdBSDdYeElfzsR2w9699zDBhFk+cBYTp3CI1OmQUAe+igosYofYwRpcHmoXiygMG2wPdM3garqG6GZ4BLWB5px/y7ACA+fqoN8Iw9DG3rl7dRclZnexttrfCG5zeMQrCtPXSVWjoMK3RerUs23Aba+ElxjFhBz5cvr9WDw8G7ibc4/p2JTz2beiXZtKbBt41p1+wnIPS7jC3kXlA0nQ1ZgAxS1CSxE2Su049AN8FrJyGcSUBckZY2cUmlpQq9pBglGlm6FFi5DmHYf9sNHglOsD1VGysQFl5aJsT7f7S8i/kDT4Wfqr5IPEOUMkeBhAHAmfh6lBs3/AJPE8ulRks/YZkevH9XXVizTV974KCOE/A8rjBbxUuixIs8y5HMSlQJRnCgGmAiWKrC+6G/UeEUoIQr1IFmXIgsX8YA8sM+e4r2d0heyQyAs/UhDojTn9oys6/imPUN66fKRTfQX1D0YYM4JXLZdKy596ehmwH/mVjgL82VaY6CMQOzq0X8ywkVbt7Aj/RhEBFqLG1pOHP6eXQwRx8Jqk70/b4qq5lcvaO6gfZfPLczEgAnwPJA7h7fcnwBA3u3bBWKTPqrZlxbY36SgJQQmJ/nfMFqPdxYQlZiEdmb/6cn9UTGvcGM/RFhQ0F2ht9k3eFd4ogMK8qDC+DeAq3xpDZYVO2ucd71TBFhWeziBZCgWK0ZFcKHizFO8IlGcw6JTxxzXLeDzYFc5/mp07WU5RxQ56QRo2NcOclRp0e2gbttQE9J7lVuAhbywE9LYffRJQ9lXS5dZOJOHfO+JKQ0vZoOv1IhV+PkQDEXGgcN/Du1o0gHyHc0sen0pGMbsiyBjTW5f2vz4ZtThU7W/b0X4ica7YzjkCqvhCjuw9yyye7bcDwgZp1fxsOI2lC32KkueFR0hnsMfTy9sOiObDR3h46SgCVij7ZNucMR5LIhcCymmnoWT9yVeBYu7aXbW0keIByVyXsMxRxxrwVgjz5lXLg8BeCu4hrFHegfBoRVs/36DBG02Gj13FLeAtYOWrJfFXOOu6zIMMN6hOtt9FsldE2fIi7XYEeBCTcp8ZcNFwU12QJYUcx0TKr3XaCORzbOgrzLGEg/9PvuMGUWYT5qIVsJ2T9OhS/gDzRHEx9ERubspDWLMQyxUe6fn6I3R7RsQlnD/3oKhKj2aYNUanR5ZK85ydQKMHR3C4YexFqji2IhhQcvYw
Content-Type: text/plain; charset="utf-8"
Content-ID: <B783304FAFFF914CB604F8EC81A1BF17@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4966.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fb8c5944-dfb8-4c98-f6ea-08da55ac7485
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jun 2022 06:40:40.3550 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: vgZSIWuc5wSTkP/tg0QUL7uMFJ/0gQ9F1m/o0EAQmecIEfcPSa/SJPQsr7eLC9VsiZl5NvnMnSnssceW+CVtbw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR1101MB2194
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.135.124, xfe-aln-004.cisco.com
X-Outbound-Node: alln-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tools-discuss/AKnQh0eYACdmbAl7MeQx8rbF3Nc>
Subject: Re: [Tools-discuss] Phasing out TLS 1.0/1.1 on IETF services
X-BeenThere: tools-discuss@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Tools Discussion <tools-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tools-discuss>, <mailto:tools-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tools-discuss/>
List-Post: <mailto:tools-discuss@ietf.org>
List-Help: <mailto:tools-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tools-discuss>, <mailto:tools-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jun 2022 06:40:47 -0000
Viktor, My understanding is that this first phase is only for HTTPS and not for SMTP. But, interesting next steps ;-) -éric On 24/06/2022, 08:18, "Tools-discuss on behalf of Viktor Dukhovni" <tools-discuss-bounces@ietf.org on behalf of ietf-dane@dukhovni.org> wrote: On Fri, Jun 24, 2022 at 05:51:48AM +0000, Eric Vyncke (evyncke) wrote: > Based on feedback from our penetration testing contractor, and taking > RFC8996 [1] into consideration, the IETF will begin phasing out TLS > 1.0 and 1.1 on IETF services in the coming days, Will this also apply to SMTP traffic to/from mail.ietf.org? Given that most SMTP traffic is still unauthenticated STARTTLS, and that fallback to cleartext is common after failure to deliver via TLS, disabling TLS 1.0 and 1.1 in SMTP rarely has tangible security benefits. It may simply result in more traffic using cleartext and delays in message delivery. Some sending systems don't recover from STARTTLS failure, retrying the handshake until messages expire and bounce. A review of the mail logs on mail.ietf.org may be appropriate to determine whether there is still non-negligible use of TLS 1.0 with some systems that exchange mail with ietf.org (actually deliver or receive some mail after establishing a TLS 1.0 connection). It is possible that ietf.org no longer exchanges mail with substantially outdated systems that are limited to TLS 1.0, but this is worth checking. -- Viktor. ___________________________________________________________ Tools-discuss mailing list - Tools-discuss@ietf.org - https://www.ietf.org/mailman/listinfo/tools-discuss
- [Tools-discuss] Phasing out TLS 1.0/1.1 on IETF s… Eric Vyncke (evyncke)
- Re: [Tools-discuss] Phasing out TLS 1.0/1.1 on IE… Viktor Dukhovni
- Re: [Tools-discuss] Phasing out TLS 1.0/1.1 on IE… Eric Vyncke (evyncke)
- Re: [Tools-discuss] Phasing out TLS 1.0/1.1 on IE… S Moonesamy
- Re: [Tools-discuss] Phasing out TLS 1.0/1.1 on IE… Eric Vyncke (evyncke)
- Re: [Tools-discuss] Phasing out TLS 1.0/1.1 on IE… Robert Sparks