IETF Logo Mail Archive

Re: [Uta] Robert Wilton's Discuss on draft-ietf-uta-rfc7525bis-09: (with DISCUSS and COMMENT)

Thomas Fossati <Thomas.Fossati@arm.com> Mon, 18 July 2022 15:40 UTC

Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60997C13C517; Mon, 18 Jul 2022 08:40:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=Uc3bLdMu; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=Uc3bLdMu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ecxYOWtN60hb; Mon, 18 Jul 2022 08:40:55 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2041.outbound.protection.outlook.com [40.107.22.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57288C13C515; Mon, 18 Jul 2022 08:40:54 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass; b=FAYmkra94YClFASpyfREg7C4wesuWyRGh9MadBuEs882BnV8/gQP4bcie2Zfoh9tdDPNaszyIocpDtTUgVDn3kEmmWz4kXGBureTFDgft8MOWJts/JTkj971SPPtIqjeuULwGflH6lzdx7whcjRcha6+cdVgBoNepqWhoazQSmcY0dKwlvEMlh4LU3gmAkpt0x4CHSoJjFuXDkMO0O4lgq42Id8aOHYsWKRQ2hdKlqPdcH9kd9pBWmeK+F9k96k9e6912udKdm4+tDqscNB9jgJwmKYMhybI3Y7A9hXGRPLSrqOmxptRS5XkVAsJv+aH0NfVb/LrCRXeIrnU+ijyUg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=KrC3JCHsQmha7ag2BkjghakqqmavGpCxgvN/eVHxd94=; b=g6weVm1fKpZs7YDEo04qDEed4IRdwSX2r1xk/KH3oTS775b/FyEJe8Zqubf2G6b4FcPFvNh2AG32e5cGsSENSG695TIJtnDqxV3yrTE81AEkvPMye1SnIuUZFPKQ5TbDnYutVKPNaVEJ1UceQnTzHIDjKqd/yIaDp/zsTeCXv7E67B0q2xi8lpGbs8h+xBcSBcoXV7iR7qZRFRAK89S19Px5AG3P6A6yt1MkhNjb4M3ECI2Uoqtx7cSYdTAnQgBmC0SMRY57nks5UMsVTegcl6wnyTEptZuZ9Mcms6EbteURC/qUpcRt16p2SAgdDnUhhXX1OIwlIhwM00BSBW+m/w==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 63.35.35.123) smtp.rcpttodomain=ietf.org smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=arm.com] dkim=[1,1,header.d=arm.com] dmarc=[1,1,header.from=arm.com])
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KrC3JCHsQmha7ag2BkjghakqqmavGpCxgvN/eVHxd94=; b=Uc3bLdMugXfq8MlKnSW/Ipfjc3fHWc9MWY9PqMS3vwbsEkeOxh7SpVwlVt6wFnjr6BKePMvxaOMF6J2dkSlTdusfV6uMYCbWoJ6kOvAg+FF+xL9MkkAgSDmhZG7kwmDo09mh43oqXWzRsumY7qbj9q/grSQGrCWeJYCrRCWHUrs=
Received: from AM6PR04CA0016.eurprd04.prod.outlook.com (2603:10a6:20b:92::29) by HE1PR0801MB1818.eurprd08.prod.outlook.com (2603:10a6:3:7b::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5438.14; Mon, 18 Jul 2022 15:40:49 +0000
Received: from AM5EUR03FT029.eop-EUR03.prod.protection.outlook.com (2603:10a6:20b:92:cafe::b4) by AM6PR04CA0016.outlook.office365.com (2603:10a6:20b:92::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5438.23 via Frontend Transport; Mon, 18 Jul 2022 15:40:49 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; pr=C
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT029.mail.protection.outlook.com (10.152.16.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5438.12 via Frontend Transport; Mon, 18 Jul 2022 15:40:48 +0000
Received: ("Tessian outbound cc6a8ab50b6b:v123"); Mon, 18 Jul 2022 15:40:48 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: b80e75f38056eea3
X-CR-MTA-TID: 64aa7808
Received: from effcccb7bf54.2 by 64aa7808-outbound-1.mta.getcheckrecipient.com id F72EB6AC-9D0E-42E6-9CDD-0764D7215FEB.1; Mon, 18 Jul 2022 15:40:37 +0000
Received: from EUR04-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id effcccb7bf54.2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 18 Jul 2022 15:40:37 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZXkEzYwAeTviHsYpaPZskKAErOHh4HYI5IlT3BgI4F+QxZoB8s7xRp1H7WciuLZFPo3E4MIYGuuzWDkHULPF39F4UG8ann7I+Nhpizxbas9+OdARozWEWJRu2jJWBq7dXONfUzjdWDOIGxbPwoU619Wh39rsF+n9Umh/f5sFm82yRmB9+HecHhparVxMANfYEpo4qdouoDrY7VFWoDsXpitEIPsanaRZeedKLSifZJQdcu12QX2aC5Z3daiPL5wywMiY8MMHc66v7YJUmPWp6GUxl4HACC5q+V5oJT/DjwdOVH1k1lOCzTfIFFe1VFT2u82s6DrafNlTetCeEIUyCw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=KrC3JCHsQmha7ag2BkjghakqqmavGpCxgvN/eVHxd94=; b=QAIJLHA7qVQBlzOP6Q/bk+y/ThWIwpick5L/DOk+8VSX5JmvQ+ftyoYq0qaBjvmc3nm6ZUXQ5AQwULw3FUL7avPX/0JZa/VLSJRmqpvFGqlnSIV1P5RnMR9aR/Ib6lZlI5Q6U1hhVEq00uFRv7jP5zXhBcfXahAGm+y2bhWlqgghcoHHNcyUmXqNwL0yQDKtpRJNbz23zI+M1uosLk7NnpDvCeol+JxFvXchcYsWc+8SFXLA+sJ+3yP/g5AM5n+cd1eDdvipl40l2xvBBVU+4RmXOk21fxgHv1gBVR9VEGSC5TxzJ+hc3lloyR3/Fw4YJ127RQLLGBPaGOuzfcajug==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KrC3JCHsQmha7ag2BkjghakqqmavGpCxgvN/eVHxd94=; b=Uc3bLdMugXfq8MlKnSW/Ipfjc3fHWc9MWY9PqMS3vwbsEkeOxh7SpVwlVt6wFnjr6BKePMvxaOMF6J2dkSlTdusfV6uMYCbWoJ6kOvAg+FF+xL9MkkAgSDmhZG7kwmDo09mh43oqXWzRsumY7qbj9q/grSQGrCWeJYCrRCWHUrs=
Received: from DB9PR08MB6524.eurprd08.prod.outlook.com (2603:10a6:10:251::8) by DB8PR08MB4011.eurprd08.prod.outlook.com (2603:10a6:10:a2::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5438.12; Mon, 18 Jul 2022 15:40:34 +0000
Received: from DB9PR08MB6524.eurprd08.prod.outlook.com ([fe80::a45e:c9e6:74af:caff]) by DB9PR08MB6524.eurprd08.prod.outlook.com ([fe80::a45e:c9e6:74af:caff%3]) with mapi id 15.20.5438.015; Mon, 18 Jul 2022 15:40:34 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: "Rob Wilton (rwilton)" <rwilton@cisco.com>, Martin Thomson <mt@lowentropy.net>, Peter Saint-Andre <stpeter@stpeter.im>, The IESG <iesg@ietf.org>
CC: "draft-ietf-uta-rfc7525bis@ietf.org" <draft-ietf-uta-rfc7525bis@ietf.org>, "uta-chairs@ietf.org" <uta-chairs@ietf.org>, "uta@ietf.org" <uta@ietf.org>, "leifj@sunet.se" <leifj@sunet.se>
Thread-Topic: [Uta] Robert Wilton's Discuss on draft-ietf-uta-rfc7525bis-09: (with DISCUSS and COMMENT)
Thread-Index: AQHYmCzpyu1B4BhTKEeTa/zBQXC50K1/2vgAgAAKEoCABFGtgIAACwTj
Date: Mon, 18 Jul 2022 15:40:34 +0000
Message-ID: <DB9PR08MB6524EF3FCE40204FB7E0A9AD9C8C9@DB9PR08MB6524.eurprd08.prod.outlook.com>
References: <165779144446.10023.16857085823147739769@ietfa.amsl.com> <799e5773-9fa4-b06a-38d1-138c43c5cfd9@stpeter.im> <BY5PR11MB4196858D743ADDF0058AEEF6B58B9@BY5PR11MB4196.namprd11.prod.outlook.com> <aef823f3-f3ab-4b17-811e-45bbcadce342@stpeter.im> <e91c06c6-037e-4ffd-ad17-37879df24e1b@www.fastmail.com> <BY5PR11MB41965634F7B81CEC361DA771B58C9@BY5PR11MB4196.namprd11.prod.outlook.com>
In-Reply-To: <BY5PR11MB41965634F7B81CEC361DA771B58C9@BY5PR11MB4196.namprd11.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-MS-Office365-Filtering-Correlation-Id: 294376bd-3ec0-4eae-4a39-08da68d3e35b
x-ms-traffictypediagnostic: DB8PR08MB4011:EE_|AM5EUR03FT029:EE_|HE1PR0801MB1818:EE_
x-checkrecipientrouted: true
nodisclaimer: true
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: h6fozUXYoa+s325FNHLOV/YBbj8nUQpYn3lPEhD2YMrySR8tQaia4ZFpKMECRHEK+tep9w3JQy1R4vclOmhahtlm28W9KPwGcXbcd3KIZDjvb1df3NNefi68FxM/dBD6gdDXTVSRfYXSWbZDbVlA92/vU/EVXnYOCWerESCe2Krmf6AamdeFZfDgAeONs4bdORkxbTJpk+HxNOSrKkOX3K6nA4XPJFoLImSvf1zBje/ur9T0viIK5SAHrbN7dSkhoDjnSQ/nxhB4IgEC04PH3flGOvjdRSue2h30SxlOzGP6FP23hdNh+aA7DfgmhnCOqXxq10wxqTpA/uftWvjsCIFodeOJ1USKR08MI7jqQp23RoshtE8H9FJ/HhXzrUVJOXKE7u7MW9hC12hfUDYykV6OymZ67wLyjN/l2U7PtUqhMI4BR32BvWKhQtFwDL6vcPJ50TvzH9HoEmHQplofEjHq9IKP66GcCIzSA0u74gwLG36LsOMW5+2yXZs5MUsXR+0cR7Z03teyhY3+O2Wj60J54Sx9Q84CPAbJcleY3NoKu3I6jiT6x5dEp66pUcOtmTghhyWeQvL947SHrwmtqlmIH1Rn0QPAS31cWfniUM2Nb4kC3Guq03xM54TlqPheNlBp7pd8npujS5fcHbq8FBYGNKSgQbjMSHfr2VdvleYzYR3De04lFkbpRc1grad/gP03/VcrWF/aw7TaBaQvRx8JsUMXzTZzkWHrDiNmWk/ULeLGx0y6f+VE6JKC9LfAdB6HSUWlj6h48Q+M4GOF3kaSHNRvXHZm0O4Pxkbk5y97UQkeOg7pR2l6/0YkxozM
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9PR08MB6524.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(396003)(366004)(346002)(376002)(39860400002)(136003)(66946007)(316002)(76116006)(71200400001)(6506007)(91956017)(41300700001)(54906003)(478600001)(66556008)(110136005)(38100700002)(7696005)(52536014)(8936002)(2906002)(5660300002)(66446008)(64756008)(66476007)(4326008)(8676002)(38070700005)(122000001)(33656002)(26005)(86362001)(186003)(83380400001)(9686003)(9326002)(55016003); DIR:OUT; SFP:1101;
Content-Type: multipart/alternative; boundary="_000_DB9PR08MB6524EF3FCE40204FB7E0A9AD9C8C9DB9PR08MB6524eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR08MB4011
Original-Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT029.eop-EUR03.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: 9618e46a-54e4-43ee-5707-08da68d3dad9
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: XYwiM/LHnCtVLv5i098OJzKXb6epb7yKMnhgRN97Ih5pTPNMv6KaaHkSzj1ubSLbw4TG885L/Urc/zF7nnUDnipKAFsDFVQlwob15mITK8M7JxOJvbwgd464pvxQwpYA6dyd+oyP4sG3qhymEY4iDV1vpbGhCCEPvmV6jOB4/sNrXzAoz+vf3sLvfT0GVBYLDevDjMLvaypA/K4AuGBEWHGgB5GgsWCvbG+ATMnl/B/enSU+ExY0C294w9T6fSbGEYMvmoa9Yv4oUSlOWv73ZQT1ohTIifjxWvumRG2LHcclwb4hSsl2s2dUvhPW5D87K65dm3CL8Z1uP1u6s8I8t9Qyg1ViCZD1IOnqJjdAoCe3MTAFUzzU9CznwGMMD9w+Z3HRbwVrizFXO6nYfbvCNLLWXtYBth+qDwLbpck2pIozDVziDQDZz8Cb8/c27LRFzN4ySg0W82XRVtxLAFC1wsNOxGoR3wFlTuFfz5GP/SH9wQM/if/3gRGDNowLN0DBWx8vOs9zb9garTS1hpHj/9R8xNpIYYzComyDcKic6QU528t+McGOgSBCwDvRuhLxzuWq4kqA3ojMTtdU/HCLTAbOXYK34AY2XeVtSDz339Wn4V+7CmiovZf719+kG7j+7IF1bZ85yuN3FEKxOFyeV9YyyFAmhEyoymKSSdjkoLmRyY+K27GNh6tQ6DK2trosZWtsGXfmBK5CJMkCqe57q1zMRZ5g5sn/a/AfId+ystjaNfu0LwShvDxzoxNBGAziQqExnj+6b611TZDdOOpE49K9eDvyCtO4I6sie0QYjaKEUF2JjAPZLqHwZWihL3OG
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(13230016)(4636009)(346002)(396003)(376002)(39860400002)(136003)(40470700004)(36840700001)(46966006)(52536014)(9326002)(5660300002)(8936002)(40480700001)(82310400005)(8676002)(2906002)(33656002)(55016003)(40460700003)(86362001)(70206006)(110136005)(70586007)(54906003)(4326008)(316002)(450100002)(36860700001)(47076005)(82740400003)(356005)(6506007)(26005)(107886003)(9686003)(41300700001)(186003)(478600001)(83380400001)(81166007)(336012)(7696005); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Jul 2022 15:40:48.6739 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 294376bd-3ec0-4eae-4a39-08da68d3e35b
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: AM5EUR03FT029.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0801MB1818
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/MG3oywQzp_9TeM_AJirJRMWAiTk>
Subject: Re: [Uta] Robert Wilton's Discuss on draft-ietf-uta-rfc7525bis-09: (with DISCUSS and COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jul 2022 15:40:58 -0000

Hi Rob,

On Monday, 18 July 2022 at 15:35, Rob Wilton (rwilton) <rwilton@cisco.com> wrote:
> > I think that you are right to be cautious here.  What you want to
> > have happen is interoperability.  If you say 1.2 or later, then
> > there is a risk of some implementations doing 1.2 only and some
> > doing 1.3 only, then you lose the ability to communicate.
>
> The introduction states:
>
>    This document attempts to minimize new guidance to TLS 1.2
>    implementations, and the overall approach is to encourage systems
>    to move to TLS 1.3.
>
> and
>
>    These are minimum recommendations for the use of TLS in the vast
>    majority of implementation and deployment scenarios, with the
>    exception of unauthenticated TLS (see Section 5).
>
> And section 3.1.1 states:
>
>       Rationale: secure deployment of TLS 1.3 is significantly easier
>       and less error prone than secure deployment of TLS 1.2.
>
> I completely get wanting the interop, but the MUST implement TLS 1.2
> still feels too strong given that AIUI, one of the reasons for TLS 1.3
> was to help mitigate some of the security issues that turned up in TLS
> 1.2.
>
> It feels reasonable to me for a server deployment to decide that
> they will only support TLS 1.3 because it is easier to deploy
> securely, placing the requirement on the client to also support TLS
> 1.3 for successful interop.
>
> Equally, I can also foresee continued deployments, where they still
> decide to support old versions of TLS before 1.2 to ensure that they
> can still interoperate with legacy clients that have not upgraded.

Sure a deployment can do as they decide to, but negotiating < 1.2 is not
considered secure anymore.  OTOH, the 1.2 profile that the document
describes (and that the endpoints are required to implement) is not less
secure than 1.3.

The document in its current form acknowledges the reality that today not
all stacks are fully ready and, for a variety of reasons, not all
deployments can be readily upgraded to 1.3.  MbedTLS and its ecosystem
are in that position: nearly there, but not 100% yet.

The desired state is everyone runs 1.3 (because it's less complex,
not because it's more secure than the profiled 1.2 defined in the BCP.)

What are the risks of mandating 1.2 as baseline?
Do we disincentivise converging to the desired goal?
Maybe, it depends on how other levers play out.
Anyway, worst case the parties negotiate the profiled 1.2, which
guarantees excellent security.

What are the risks of not mandating 1.2 as baseline?
Do we create breakage that can't be easily fixed?
Quasi certain.

To me it's a question of timing, and I think we can defer the decision
to when data give us confidence that the induced breakage is minimal.
Note that a "SHOULD support 1.3" is pretty strong (RECOMMENDED may be
slightly stronger?) and paves the way for being more radical with the
next iteration of this document.

I appreciate the slight frustration, but a policy of small steps is the
probably the most adequate for a BCP.

Cheers, thanks


IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email