IETF Logo Mail Archive

Re: [Uta] Robert Wilton's Discuss on draft-ietf-uta-rfc7525bis-09: (with DISCUSS and COMMENT)

Peter Saint-Andre <stpeter@stpeter.im> Mon, 18 July 2022 17:09 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A38FBC13C535; Mon, 18 Jul 2022 10:09:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.832
X-Spam-Level:
X-Spam-Status: No, score=-2.832 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=stpeter.im header.b=IEZPag5X; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=q7xweS9s
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 92_gkprxnNZC; Mon, 18 Jul 2022 10:08:55 -0700 (PDT)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE087C13C515; Mon, 18 Jul 2022 10:08:54 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id A9F575C01F7; Mon, 18 Jul 2022 13:08:51 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Mon, 18 Jul 2022 13:08:51 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stpeter.im; h=cc :cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm1; t=1658164131; x= 1658250531; bh=oE6tx0GeYXPVZxYNHz31JurtRFa2DINjQjkmyEVROps=; b=I EZPag5X/3DsVWY4gMSC8t5X6LnYE5YJ95EJaSuK6ZjpWCv/ImA9KaU+G2hRDY096 LSqkqQfrmE0bRBy6odBx6A6Yz+Zx5uIBLTBDmQpyIJ5WZ0ghcb9VV1rV+Qcu5i0+ Z4zFKhHXRTEr1hrIEbtRCF+d9KVluMJQqnVC9QIAgujE77TUcli/R0Z9SkSReibZ jpMCJG9XYhzoo7HQFu4SD6mG4YL0FgCItScVhIXS0yE+bciFTJ0k91JaoXYefhhd kfkU85WKA8v0B54jOyS6iLQCO2f2ziEYmTuQ0miC4McnZmR3W82uh+EB5w6l/d4t uZKM2noi1iC9n1VXlW6dA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1658164131; x= 1658250531; bh=oE6tx0GeYXPVZxYNHz31JurtRFa2DINjQjkmyEVROps=; b=q 7xweS9s+/O8hxcZA5WkBxuW+xsngSRa7eE6F6WurbrC/8RXaNmsNyygggVea8Smt Z0krJG2RirLsrd9ydSPh3zlmZvrb/CRg5a2pgpHt5alWMRf+28JUm4y/FpSqHWwF xkUn8Mpl2cAohmEl9hDlYLznmaujFWpp0rCkse0pNwVfkeW6nE4t4KhHHeDplpu2 4089g1xZ6D6C56+a5jtza1DCcF014kDsPH2bGdXe3RNHTmgF6uaGej2ycUVKDo/G O5rabyUZTzlqHr4zAcqPw4N9+Muu/l+LDKPKVwNf7cJjt8H9hLol0bWXjtfdqWtt Dz2ayXFIsxNmX6dNGYNqA==
X-ME-Sender: <xms:o5PVYgAJjA95eHpW1OisUI2hjHi0mgzDqIQqllMN8Jnb9HLqhsYtoA> <xme:o5PVYijxqwIEMXpnJfSkPF4DBm2j2_4ZOkDxzcm_T1zwVTieuYy2OPhGuvss7mBBq u2jtNeIP4oTKPxZIA>
X-ME-Received: <xmr:o5PVYjn2H5YEbcpjfMMg2BdesO1gODyIqHJzYwB_nO6KwOdwYP7YU2rpJC0UmCY3>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrudekkedguddtjecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefkffggfgfvvehfhffujggtgfesthejredttdefjeenucfhrhhomheprfgv thgvrhcuufgrihhnthdqtehnughrvgcuoehsthhpvghtvghrsehsthhpvghtvghrrdhimh eqnecuggftrfgrthhtvghrnheptddtgfeuueeitdetueeikeehhfefveeliefhvefgtddu fedvudevveeivefgteetnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrg hilhhfrhhomhepshhtphgvthgvrhesshhtphgvthgvrhdrihhm
X-ME-Proxy: <xmx:o5PVYmx4QlIHpn7pOfZqn6LwD4G_YxYD_qIAdNZwz_gGirKoa2fv8A> <xmx:o5PVYlQSUqaX_5NzGK_cYIPhM6ZTjaa4o0mDfqfYqBFup3JMx_B35A> <xmx:o5PVYhbiv8v2a4nPdKB-GrT2ub4KzD51rimJb15PgrJ5AvhqdG0RyQ> <xmx:o5PVYkGuDcp2leJn7f2PicXlwCrd4eGyaiQcB-GhdKsC8K4pV0tLPg>
Feedback-ID: i24394279:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 18 Jul 2022 13:08:50 -0400 (EDT)
Message-ID: <7516ea0f-adb5-ee49-3d81-2230306365a5@stpeter.im>
Date: Mon, 18 Jul 2022 11:08:48 -0600
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.11.0
Content-Language: en-US
To: Martin Thomson <mt@lowentropy.net>, "Rob Wilton (rwilton)" <rwilton@cisco.com>, The IESG <iesg@ietf.org>
Cc: "draft-ietf-uta-rfc7525bis@ietf.org" <draft-ietf-uta-rfc7525bis@ietf.org>, "uta-chairs@ietf.org" <uta-chairs@ietf.org>, "uta@ietf.org" <uta@ietf.org>, "leifj@sunet.se" <leifj@sunet.se>
References: <165779144446.10023.16857085823147739769@ietfa.amsl.com> <799e5773-9fa4-b06a-38d1-138c43c5cfd9@stpeter.im> <BY5PR11MB4196858D743ADDF0058AEEF6B58B9@BY5PR11MB4196.namprd11.prod.outlook.com> <aef823f3-f3ab-4b17-811e-45bbcadce342@stpeter.im> <e91c06c6-037e-4ffd-ad17-37879df24e1b@www.fastmail.com> <BY5PR11MB41965634F7B81CEC361DA771B58C9@BY5PR11MB4196.namprd11.prod.outlook.com> <627d8e8d-9c89-4d6c-a941-e0f861d2528f@www.fastmail.com>
From: Peter Saint-Andre <stpeter@stpeter.im>
In-Reply-To: <627d8e8d-9c89-4d6c-a941-e0f861d2528f@www.fastmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/IIkWU1jvyXWAY7CNRtKMvlF60Zo>
Subject: Re: [Uta] Robert Wilton's Discuss on draft-ietf-uta-rfc7525bis-09: (with DISCUSS and COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jul 2022 17:09:00 -0000

On 7/18/22 10:15 AM, Martin Thomson wrote:
> On Mon, Jul 18, 2022, at 15:34, Rob Wilton (rwilton) wrote:
>> I completely get wanting the interop, but the MUST implement TLS 1.2
>> still feels too strong given that AIUI, one of the reasons for TLS 1.3
>> was to help mitigate some of the security issues that turned up in TLS
>> 1.2.  It feels reasonable to me for a server deployment to decide that
>> they will only support TLS 1.3 because it is easier to deploy securely,
>> placing the requirement on the client to also support TLS 1.3 for
>> successful interop.
> 
> There is potentially room here for a "MUST...unless" shape to the document.  I am not aware of any that do this currently, but a few years ago some websites dropped support for TLS 1.0 and 1.1 because they could be confident that browsers supported TLS 1.2.  Or at least all those they cared about did.  You might be able to conclude the same for TLS 1.3 today.
> 
> But I don't think that you can drop TLS 1.2 today without some care and that approach is not really generally applicable.

Not yet, no.

Rob, I'd like to reiterate that we expect this BCP to be updated again 
once the facts on the ground justify doing so. I suspect this will be 
case when TLS 1.3 is even more widely supported and the IETF is ready to 
deprecate TLS 1.2. Maybe that will be 3-5 years from now (who knows?), 
but the consensus of the UTA WG was that this time is not yet. It is, 
after all, Best Current Practice not Best Future Practice. ;-) I would 
like to suggest that we publish the recommendations as they stand in the 
document now, and then update the BCP again with less than a 7-year gap 
next time.

Peter

v2.23.0 | Report a Bug | By Email