IETF Logo Mail Archive

Re: [Uta] [Last-Call] Artart last call review of draft-ietf-uta-rfc7525bis-09

Thomas Fossati <Thomas.Fossati@arm.com> Mon, 11 July 2022 08:51 UTC

Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81C87C15AD3B; Mon, 11 Jul 2022 01:51:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=NG+Xfi+Y; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=NG+Xfi+Y
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NBDbxxepU2KJ; Mon, 11 Jul 2022 01:51:25 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2062.outbound.protection.outlook.com [40.107.22.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B35CC15AD22; Mon, 11 Jul 2022 01:51:24 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass; b=k/NYR2Ua/TP09eE99PpbCjUTHZH1ZgPu7BUmnffBZbpnYVC/Ey3F5VcSecqlu/LeS0JTWkQJNWUH9GusZUUdJzjCwekiE+gDc6YhJatxjsmkPOtNP9qVzdFnYkvrS9sn0YWs//9LkXzbaxO4nQXg4oM9tsefKiJNjIA2S6OLYat90aKnmizklHb6zwu94r4lBWGXk7mdbsncGcrM47pQsbOHpRmPwkO+xHZ2gPVDkHDTVXUug1qIkcBUu2cZG+6G6GCzDkkBtX50QG9orSVsQ69s/BudMozGf9pRjw4cWnN+NnzoINfoybi+4mreiOWmTctorzFyfhGqbTX0YX/85Q==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=THFD7beqLjODwbFKeblU07o3s0eMaX9hKUpTnc+78+w=; b=ZBuqyF6qC5Byyjft43Oefc2LHXeT37KDylsaKpUvUV4r7ONmKi9hKFIUbXk9xiu2EGwqoTNNSIET0YdIQTBKPn6x599+0nTMK7OgceeO4nPF9KBwT+oru7VSTVQ2N/ZZ2YVgnIUgY8xGV0vUDNvLbpENuyvdk4/zbJVoyvLSV6ihF41gF8dzNuwroSTYkoT9PckC+JbWMyop/iN+EvH0QEFSnSkrXhh8uvPpzq7xiJITsdUg6PISiGs1+TeYVyqlwGX4wHgQAktswFhdf+2W4sfP3HvcR4u5EqbszTon+cOGiqBu0jS+jMJGmg80z+WHX6ID86jcwNp5YRfNJNu2/A==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 63.35.35.123) smtp.rcpttodomain=ietf.org smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=arm.com] dkim=[1,1,header.d=arm.com] dmarc=[1,1,header.from=arm.com])
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=THFD7beqLjODwbFKeblU07o3s0eMaX9hKUpTnc+78+w=; b=NG+Xfi+Yi3I/+eV3TkCcEGajMYwNvAO1Teex3SDSkiqZ7ABG8++U2mdIc6NdeTvbgOOxuZXmOP5lN2Nn4KTQpkyBHt117hg0juym/Cv2aREn2tcmzsJJS+1tMcbUGjLC1sHv6ibA86myFLAyfH7s+Uv/8e7Wz26cP4daPTb4hhg=
Received: from DB6PR0601CA0011.eurprd06.prod.outlook.com (2603:10a6:4:7b::21) by AM5PR0802MB2499.eurprd08.prod.outlook.com (2603:10a6:203:a1::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5417.20; Mon, 11 Jul 2022 08:51:20 +0000
Received: from DBAEUR03FT054.eop-EUR03.prod.protection.outlook.com (2603:10a6:4:7b:cafe::22) by DB6PR0601CA0011.outlook.office365.com (2603:10a6:4:7b::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5417.15 via Frontend Transport; Mon, 11 Jul 2022 08:51:20 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; pr=C
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DBAEUR03FT054.mail.protection.outlook.com (100.127.142.218) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5417.15 via Frontend Transport; Mon, 11 Jul 2022 08:51:19 +0000
Received: ("Tessian outbound 190453a6d737:v122"); Mon, 11 Jul 2022 08:51:19 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 580ceaef7e0d350a
X-CR-MTA-TID: 64aa7808
Received: from 18500af9d5ea.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 9246A057-9466-4903-9EF6-C029AC5EE876.1; Mon, 11 Jul 2022 08:51:13 +0000
Received: from EUR04-DB3-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 18500af9d5ea.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 11 Jul 2022 08:51:13 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DUKkifCvXPOFKchlY7xEj0+WX+L1dEA1E1wRs4Gf7troiqqAHNcpK7vcmoCYJrm4Qg2zvqkzljYvjO6/u3ryqg+3tY6sysYOjZ2oUBxUB4Ek8DadVt4zmpvc6lDRmwWf6UZcMRFQqhvdVJnAIzk3Ufh7iqAFmJyf8tmV0rl/605PdgeizUZIAC1ePVuETBYA/NFrcwUTBJeQopn/0ldCcgwLasshc6SEUyhm+kky0jfXsfgf2x8CW4JswhTaw4U8ia1w8DPvxujoaWiJy+24LtY0S0b5WFifoQoyt1JK238LOFlU15qFs1PTS9NqVsYwE+W1SIxmQ3CeBUrLUuyQCg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=THFD7beqLjODwbFKeblU07o3s0eMaX9hKUpTnc+78+w=; b=oTIVDCgHzi+kuqaSqo2S4AWWfpvvo2/dP0FxGWZzHvXMl6T2Gy7lg8ex3VSmKXkGOerACe2IBmdisqZa806ZqOVj2w9tIdk9lqeSjJ15PZ2/YeE2TlPhSplB0/MQ6+45wNp+hLCB35iyPLOXgIudute1svgIxGjcEi0qu9y8QwPkcL4V+JX6kB1tgQQMmsoeE5RsWCGrQL2PVopPv/xi2hUGZmtWvwjEIHC1cpoPU8HNVh+Sy1k0BmaTYYG7TqdtR2x9Bk4k/tQrfQYlK0ADCTYMVmeFLb5aqwGqpNts7iQfqyGDwHcP3kSxo5E9GhOredgeylbAQ4k+duMu//QPLw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=THFD7beqLjODwbFKeblU07o3s0eMaX9hKUpTnc+78+w=; b=NG+Xfi+Yi3I/+eV3TkCcEGajMYwNvAO1Teex3SDSkiqZ7ABG8++U2mdIc6NdeTvbgOOxuZXmOP5lN2Nn4KTQpkyBHt117hg0juym/Cv2aREn2tcmzsJJS+1tMcbUGjLC1sHv6ibA86myFLAyfH7s+Uv/8e7Wz26cP4daPTb4hhg=
Received: from DB9PR08MB6524.eurprd08.prod.outlook.com (2603:10a6:10:251::8) by AM6PR08MB3494.eurprd08.prod.outlook.com (2603:10a6:20b:42::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5417.20; Mon, 11 Jul 2022 08:51:10 +0000
Received: from DB9PR08MB6524.eurprd08.prod.outlook.com ([fe80::a45e:c9e6:74af:caff]) by DB9PR08MB6524.eurprd08.prod.outlook.com ([fe80::a45e:c9e6:74af:caff%3]) with mapi id 15.20.5417.021; Mon, 11 Jul 2022 08:51:10 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: Cullen Jennings <fluffy@iii.ca>
CC: "art@ietf.org" <art@ietf.org>, "draft-ietf-uta-rfc7525bis.all@ietf.org" <draft-ietf-uta-rfc7525bis.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "uta@ietf.org" <uta@ietf.org>
Thread-Topic: [Last-Call] Artart last call review of draft-ietf-uta-rfc7525bis-09
Thread-Index: AQHYktWf7pihR5NlFEChyffdgtsUKK10mDEwgAHneYCAAlnd8Q==
Date: Mon, 11 Jul 2022 08:51:10 +0000
Message-ID: <DB9PR08MB65243DA97CD1883ABAA1B7609C879@DB9PR08MB6524.eurprd08.prod.outlook.com>
References: <165728991008.45773.10659091812976572509@ietfa.amsl.com> <DB9PR08MB65249A319F9E14A76EC424279C829@DB9PR08MB6524.eurprd08.prod.outlook.com> <C2B07B42-7C1A-491F-97C9-BE4E6E9C5B05@iii.ca>
In-Reply-To: <C2B07B42-7C1A-491F-97C9-BE4E6E9C5B05@iii.ca>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-MS-Office365-Filtering-Correlation-Id: 36f893fe-9f94-418a-9e64-08da631a8629
x-ms-traffictypediagnostic: AM6PR08MB3494:EE_|DBAEUR03FT054:EE_|AM5PR0802MB2499:EE_
x-checkrecipientrouted: true
nodisclaimer: true
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: MHlsoEuczJQs0up8iSTzVr/l8gTVQlZ0D1AZxTndPmk4UV4NQqwd5LBoAdNpP9wAKFiVK6ukBWsQ+lb6VbYuTDM+ydZC/bRS/Nagc1QA9qsV9bOVcqdiG/F3yq6f0JPBwxKhLGOYVFF09zV47lC3bjxOQDzAPJOy/9ehgQZihXmT4scXviCFYbYdvg8N890TrS45VUjTx8knspT7eppqFpqY61w3tOcVEY9g7WeddNMtlF60emfJ8sU/iVC9XU/ryEGFWRgJ3vTHeebYt2DvHV4Ea9dR/YUQt2yOik6Fvu45/MEatik3WwTqQzzP1rJY2ZPBLG8+HrnlF9XFlK0QSP5vIAo5rPoldfaiBaSyxNcuZSczl25R/WH7EM/D9M1he2x6W01qCgFwTn0x+CZk/6jBj+srsZNxm1UN1eDRAB7jIo+Xdah8vKvh7tCStINYdWOomD6ay2d3p7/9q8dzzV/xM+DK0NBsgvKsgbYGFZTeG7Rbfcd1dvVQlPtXT0VXLD58lSXeog7/bRarHvhi7TyLnW2hXqrXOi+/h7gZenkmSkNyqcJRKkQq6sxIavuYOsDwCQcQPO4xN+O9FOOHA5jacN/eSqMZdxS9qKuMZZ3NulAZ71mv4yEBtXiB8mOIhKDBRhdWmiU+enWKPfoz7/jV4B2J+ckguUNn4qjOC5OBzF6GCri0CunE2Z5cW66PTr6Ff4SgQ1fK7fUBoy5wZzXx2Ea1rd6YUjI6z5+Yaw1Cy1fLTYk2vG3Z83leHTvqT0fTzCnLpIW7vcPwP2MsKmP1UKGdvfJvCFecPaP16d/0JLU5uAuQ2cStq8MwN/vDIJOjFCepDU6mWyPbXdsez7xkgQgquoT5VJev9rTXT9BOOUvwP4MiNihyrvcO0gLs
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9PR08MB6524.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(376002)(366004)(136003)(396003)(346002)(39860400002)(478600001)(45080400002)(316002)(15974865002)(54906003)(71200400001)(86362001)(83380400001)(38100700002)(38070700005)(966005)(122000001)(41300700001)(6506007)(53546011)(7696005)(64756008)(9686003)(26005)(55016003)(66556008)(66446008)(76116006)(33656002)(66946007)(66476007)(91956017)(8676002)(4326008)(9326002)(6916009)(8936002)(5660300002)(52536014)(2906002)(186003)(17700200006); DIR:OUT; SFP:1101;
Content-Type: multipart/alternative; boundary="_000_DB9PR08MB65243DA97CD1883ABAA1B7609C879DB9PR08MB6524eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB3494
Original-Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DBAEUR03FT054.eop-EUR03.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: 5cffd9bc-b4f9-419c-f829-08da631a8068
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: UI9uMrjVlBgyOd6Jb+IQK0sLsJQqLxXGX3vNOoDIqpnYiYOHpo9sAfH1LRk/Vlt02nqbiqEqav117WCN5nYKEqD8DfnbLK+srETP+oeYiFtDeZMJDh+Lr2HLa5LqEZQhwmaxAv2zlh2MGOUyQV+Jg0qkarVuL6fTlMZBte0mI8JaW2D9Y7DwhCoAiEWlJT9dD0mYDAIWq6eAl1P/2c3e9UMUJ8vvWuLqeeI8nHjWEMXA75x8NLdRmCqdCyzPN0xaKKSzdJ97fWp/Tw3/2NI92+4TmZuDbMcttRV5l/arb1geipu4Fwey291FI1HjyyMOrL2B510vmHJVWLftzpfkZ9zR30xlAQtqgOCxLZZSSHwVQI986PJWXtmBr2N2TVyfUYpIJ8jHQJOihQZQtEQTyGRLxzYkBwXYa6THdkjkMNObvueVkier3uycQV80y7Ly6mpcwVRN98X+yXO0Ex+bDh5Hw9IGs+RpfYXPugwbN01GXiggmvBBU3O56cVU8VBc5YkZO87+EGDKg+uXwZyaLBT9cUOMkz9lVH3RPFTSSu6PHtXJNeWXX3XVh6MIOZErSUi8xX9aFZmV/pSyNZj9ZO+c8yWXfFMFnQBgzHBEO3xvpqStR4enEXDgfnNBRohkTFRJSXDCM2xb9ARxtYIGPAAKhsg59hI3Lvx1S/bNugh8F4mSuM6XlidiCIrnesCgsI1VCpsHcgycDMjuqEJG8eH3crwYyxBUMbzsR5WLIe0hCEjKDIiHa1X0VrqG6iZago0NMZ1TYdOhDRQy8ULwQtDpHM2JkMUf/2FqKV1fqsLgTmbjSFkCaoqpq7iD5+k6QX3GMl07xdZm99zInkp4Fnf44hFMcZJir7ho9UoBO2mDnxnRjcfmKjQXDThxDhej
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(13230016)(4636009)(376002)(346002)(136003)(39860400002)(396003)(40470700004)(46966006)(36840700001)(82740400003)(356005)(83380400001)(8936002)(47076005)(36860700001)(336012)(186003)(5660300002)(2906002)(30864003)(33656002)(52536014)(6862004)(55016003)(9326002)(40480700001)(26005)(70206006)(70586007)(82310400005)(54906003)(6506007)(450100002)(41300700001)(7696005)(4326008)(9686003)(53546011)(8676002)(45080400002)(15974865002)(81166007)(40460700003)(316002)(478600001)(966005)(86362001)(17700200006); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Jul 2022 08:51:19.7364 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 36f893fe-9f94-418a-9e64-08da631a8629
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: DBAEUR03FT054.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0802MB2499
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/X1xqUHTkzYMfyUFSrbVYHYZ-bPA>
Subject: Re: [Uta] [Last-Call] Artart last call review of draft-ietf-uta-rfc7525bis-09
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jul 2022 08:51:30 -0000

Hi Cullen,

On Sunday, 10 July 2022 at 11:41, Cullen Jennings <fluffy@iii.ca> wrote:
> > On Jul 8, 2022, at 9:37 AM, Thomas Fossati <Thomas.Fossati@arm.com> wrote:
> >
> > I keep an eye on data from a cute crawler [0] that regularly scans
> > the top 1 million web sites, and twice per year makes a summary of
> > the trends.  (You can find the freshly collected raw data [1] as
> > well as the most recent summary [2].)
> >
> > What I gather from that data set is that the amount of traffic < 1.2
> > is becoming quasi invisible (*).  So I would be really surprised if
> > Mozilla, Apple and Google, which are surely captured by the crawler,
> > were among the very few caught red-handed supporting ver ∈ [1.0,
> > 1.1].
> >
>
> Very interesting.  I think this is important that we get to the bottom
> of this because the data you are basing some of your conclusions on
> looks wrong to me.
>
> I’m reading
> https://scotthelme.co.uk/top-1-million-analysis-november-2021/
> and there is a section labeled "TLS, old and new” which has a table
> that lists TLS 1.1 at zero.
>
> It also references a more specific file at
> https://crawler.ninja/files/protocols.txt which currently has the
> following in that file
>
> TLS Protocol Versions:
> TLSv1.3 386,472
> TLSv1.2 179,549
> TLSv1.0 515
>
> Again implying 1.1 is at 0. If this is supposed to represent the
> number of sites that offer 1.1, out of the top million, well, I think
> it wrong. I also don’t think what web sites are are offering a given
> version is a very great metric to estimate what non browsers TLS
> client applications are using but that is a different issue.
>
> I think it is pretty critical that we sort out.
>
> Here is what that site lists as top 10 sites ( I disagree it is the
> top 10 by clients that use it but close enough for some data )
>
> 1,google.com
> 2,akamaiedge.net
> 3,facebook.com
> 4,youtube.com
> 5,gtld-servers.net
> 6,netflix.com
> 7,microsoft.com
> 8,instagram.com
> 9,twitter.com
> 10,akamai.net
>
> I checked if they support TLS 1.1 with a command like " openssl
> s_client -connect google.com:443 -tls1_1 “.  What I got from Calgary
> on July 9 is
>
> 1,google.com YES
> 2,akamaiedge.net (this is not a valid server so I randomly used
> e673.dsce9.akamaiedge.net)  YES
> 3,facebook.com NO
> 4,youtube.com YES
> 5,gtld-servers.net ( seriously, I don’t think this is the #5 domain by
> any sane definition ). Anyways, I can’t find where it does TLS so will
> ignore it. UNKNOWN
> 6,netflix.com YES
> 7,microsoft.com NO
> 8,instagram.com YES
> 9,twitter.com NO
> 10,akamai.net (I used e1699.dscx.akamaiedge.net ) YES
>
> This looks like well over half of that top 10 list support TLS 1.1
> which matches up with other data I have seen.
>
> What is your thoughts on why it is still turned on for that many ? I
> think the answer to that question could provide some really useful
> information for this draft.

That's interesting indeed, and you are right.  At least the top-10
behaves in a very different way from what is reported.

I'll get in touch with the crawler's author to check whether there's a
problem with the crawler itself, or it's just that top-n behaves vastly
differently compared to the bottom 1000000-n.

But to be 100% clear, the text in the draft is not based on the
crawler.ninja measurements (that's purely one data set that *I* have
been looking at due to my fixation on HTTPS trends); here we are purely
echoing what the IETF consensus about version support/deprecation is.

> Just so I am not taken the wrong way here, I am not at all arguing
> that SHA1 is fine for TLS. The advice I give people is put together a
> threat model for your use of TLS, figure out which, if any clients
> would be impacted by going to version X, and make a rational decision
> about if you should move to requiring version X. If your client are
> all safari or chrome in US or EU on smart phones that are within the
> apple software update window, the cost of moving might be nearly zero
> - if you are supporting very old, very cheap mobile phones globally,
> your stats are going to be a bit different.  If what you are
> transferring over TLS is a web page with a menu for your restaurant,
> your risk of using SHA1 might be pretty much zero. This draft can help
> provide that information for people to, as Spencer says, make good
> choices. I’d love to see the draft have more of that for this TLS 1.0
> / 1.1 issue.
>
> I am also not arguing in any way that TLS 1.1 is not deprecated at the
> IETF. It is.The IETF published an RFC that said don’t use it. However
> deployments with excellent networking and security teams, like
> companies on the above list, are still supporting it for some use
> cases which makes me think it would be far more useful to provide some
> information about the risk and reasons to use it and not to use it.
> That would help people understand in a way that may have more impact
> in getting a transition to newer version that just another RFC that
> also says don’t use it with no extra info.
>
> We end up with some people saying “www.google.com” supports TLS 1.1
> and if it is good enough for them, it works for me. But is far more
> subtle than that. The endpoints for google pay at pay.google.com do
> not support 1.1 even thought 1.1 might be fine for some of the
> www.google.com. This gets lost on people.
>
> I think there is room for additional useful information here. I’m not
> volunteering to write such advice, done is feature, and I am thankful
> to the people that created what is in the draft.

I think the task of this BCP is to provide *security* best practices to
the community of operators and implementers.  If we were to phrase it in
a more nuanced way as you suggest I think we'd dilute a message that
needs to be strong and clear.  I trust people not to base their choice
solely on this specific source; they will balance the security risks
(which this document will hopefully help inform) with their users' reach
and any further consideration they need to factor in to their
deployment decisions.

My two cents, obviously.

cheers, t


IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email