[Uta] Any thoughts on draft-rsalz-uta-require-tls13 ?
"Salz, Rich" <rsalz@akamai.com> Wed, 06 December 2023 16:21 UTC
Return-Path: <rsalz@akamai.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4785C14F60D for <uta@ietfa.amsl.com>; Wed, 6 Dec 2023 08:21:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bH15C-uOSGXw for <uta@ietfa.amsl.com>; Wed, 6 Dec 2023 08:21:25 -0800 (PST)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D873C14CE4B for <uta@ietf.org>; Wed, 6 Dec 2023 08:21:00 -0800 (PST)
Received: from pps.filterd (m0122331.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.17.1.22/8.17.1.22) with ESMTP id 3B6FGB3i016944 for <uta@ietf.org>; Wed, 6 Dec 2023 16:20:59 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h= from:to:subject:date:message-id:content-type:mime-version; s= jan2016.eng; bh=JMWooCLlSLgNWaUSvU+dMK2X/UYkjVgjOcX4gtxRFuk=; b= TJTF0SY7u3dzdy6C0hha/Kcu6qw7KZ5Lbqj27udUkbm5wSAJGieWAlVw8gDJpci9 3eDuDd4cSolyxogyvA4MIvvQV8QdkH4bj84iQnLjCNpyEbPzOANJ1RLZL33fTOhR hVgmt9ao6kHu9OWA+9SGSFy3ohpfw/bmH6NM9npFdrafUwai5dgiwO6Glr+bippP +WRdOAZHkVKMaxSxNXg13kkih6Ja0GVxAtXaRRA7qaIqxYeE0q7sF+we2xSf5jW7 Ljbi2h+PDZAVFGmjc6fWSO19Pt5hZ5B7/NH9aKHJDc2RI1w2DRAda4JcsR5uhvRA xlyJ4gf04YPaYHeJibCqTA==
Received: from prod-mail-ppoint8 (a72-247-45-34.deploy.static.akamaitechnologies.com [72.247.45.34] (may be forged)) by mx0b-00190b01.pphosted.com (PPS) with ESMTPS id 3utavc8sxh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <uta@ietf.org>; Wed, 06 Dec 2023 16:20:59 +0000 (GMT)
Received: from pps.filterd (prod-mail-ppoint8.akamai.com [127.0.0.1]) by prod-mail-ppoint8.akamai.com (8.17.1.19/8.17.1.19) with ESMTP id 3B6GHYLq017348 for <uta@ietf.org>; Wed, 6 Dec 2023 11:20:58 -0500
Received: from email.msg.corp.akamai.com ([172.27.50.207]) by prod-mail-ppoint8.akamai.com (PPS) with ESMTPS id 3utbk8yjsx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <uta@ietf.org>; Wed, 06 Dec 2023 11:20:58 -0500
Received: from ustx2ex-dag4mb4.msg.corp.akamai.com (172.27.50.203) by ustx2ex-dag4mb8.msg.corp.akamai.com (172.27.50.207) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.27; Wed, 6 Dec 2023 08:20:57 -0800
Received: from ustx2ex-dag4mb4.msg.corp.akamai.com ([172.27.50.203]) by ustx2ex-dag4mb4.msg.corp.akamai.com ([172.27.50.203]) with mapi id 15.02.1258.027; Wed, 6 Dec 2023 08:20:57 -0800
From: "Salz, Rich" <rsalz@akamai.com>
To: "uta@ietf.org" <uta@ietf.org>
Thread-Topic: Any thoughts on draft-rsalz-uta-require-tls13 ?
Thread-Index: AQHaKGAxILGNPAqQ/EynSFcha8G1sA==
Date: Wed, 06 Dec 2023 16:20:57 +0000
Message-ID: <0F3679CA-6FE8-491E-AF4F-303D39ADCCC1@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.78.23102801
x-originating-ip: [172.27.164.43]
Content-Type: multipart/alternative; boundary="_000_0F3679CA6FE8491EAF4F303D39ADCCC1akamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-12-06_14,2023-12-06_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=934 suspectscore=0 adultscore=0 spamscore=0 phishscore=0 bulkscore=0 mlxscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2311290000 definitions=main-2312060132
X-Proofpoint-ORIG-GUID: 26uA1BXVgd51YDqNrmi9BERwJ0B5rg5L
X-Proofpoint-GUID: 26uA1BXVgd51YDqNrmi9BERwJ0B5rg5L
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-12-06_14,2023-12-06_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 lowpriorityscore=0 suspectscore=0 clxscore=1011 phishscore=0 impostorscore=0 spamscore=0 mlxlogscore=933 malwarescore=0 priorityscore=1501 adultscore=0 bulkscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2311290000 definitions=main-2312060133
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/20jkLH5_QlUwfekgpRe9AbHhB80>
Subject: [Uta] Any thoughts on draft-rsalz-uta-require-tls13 ?
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Dec 2023 16:21:29 -0000
The draft is at https://datatracker.ietf.org/doc/draft-rsalz-uta-require-tls13/ and it’s maintained on GitHub at https://github.com/richsalz/tls12-frozen There are two documents in that repo. The draft updates RFC 9325 in the following way: Any new protocol that uses TLS MUST specify as its default TLS 1.3 (or a higher TLS version, when one becomes stadardized). For example, QUIC [QUICTLS<https://richsalz.github.io/tls12-frozen/draft-rsalz-uta-require-tls13.html#QUICTLS>] requires TLS 1.3 and specifies that endpoints MUST terminate the connection if an older version is used. If deployment considerations are a concern, the protocol MAY specify TLS 1.2 as an additional, non-default option. As a counter example, the Usage Profile for DNS over TLS [DNSTLS<https://richsalz.github.io/tls12-frozen/draft-rsalz-uta-require-tls13.html#DNSTLS>] specifies TLS 1.2 as the default, while also allowing TLS 1.3. For newer specifications that choose to support TLS 1.2, those preferences are to be reversed. One motivation is that TLS is in a call for adoption of a “TLS 1.2 is frozen” draft which specifies that no new features, in particular *post-quantum crypto* will not be added to TLS 1.2. As PQC is now a hot topic, it might be worth firming up the advice to applications.
- [Uta] Any thoughts on draft-rsalz-uta-require-tls… Salz, Rich
- Re: [Uta] Any thoughts on draft-rsalz-uta-require… Orie Steele
- Re: [Uta] Any thoughts on draft-rsalz-uta-require… John Mattsson
- Re: [Uta] Any thoughts on draft-rsalz-uta-require… Salz, Rich