IETF Logo Mail Archive

Re: [Uta] Comments as draft-rsalz-uta-require-tls13

"Salz, Rich" <rsalz@akamai.com> Tue, 26 March 2024 01:08 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF212C18DBB3 for <uta@ietfa.amsl.com>; Mon, 25 Mar 2024 18:08:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NR4-gEsBXluY for <uta@ietfa.amsl.com>; Mon, 25 Mar 2024 18:08:32 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B08FC14CE3F for <uta@ietf.org>; Mon, 25 Mar 2024 18:08:32 -0700 (PDT)
Received: from pps.filterd (m0050095.ppops.net [127.0.0.1]) by m0050095.ppops.net-00190b01. (8.17.1.24/8.17.1.24) with ESMTP id 42PHvUBJ026829; Tue, 26 Mar 2024 01:08:25 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h= from:to:cc:subject:date:message-id:references:in-reply-to :content-type:content-id:content-transfer-encoding:mime-version; s=jan2016.eng; bh=yxw/ZKNjYVIl2kgVb/VmtqcJ6+Qa7dyWRnzf40inliU=; b= HQhl1GI2Lpl8ySKf7A281RurBgReUbq8+mesVBjtXGrmrqtcBHzGC5oyaPGnf/Zv FRZWPodb2Q1wyELcmjgjJhLVItrnewxAf4/tPBfdvz5pkevgtlm8U78y/FDoxKwF 1wD1WgTy967QOD39CDJzjHHMIPkY9YP5U9AqRyOLkT8b9A/o0YxsGEZhlPPD8F+T u78AhFIeJAzrJaDDj/FI0xIqq3TYkAbUh5dQcoMPMDFiIQ1WeoQ128xWpFelDweo JtLBbpNder8sshem1ps/j/X6VBftpTcoxTlWZoVYsTqOlISoKoPdlr6dkBLCe4BB hPoXbgXvxgVgkMsG/5Zkuw==
Received: from prod-mail-ppoint8 (a72-247-45-34.deploy.static.akamaitechnologies.com [72.247.45.34] (may be forged)) by m0050095.ppops.net-00190b01. (PPS) with ESMTPS id 3x1qga16xk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 26 Mar 2024 01:08:25 +0000 (GMT)
Received: from pps.filterd (prod-mail-ppoint8.akamai.com [127.0.0.1]) by prod-mail-ppoint8.akamai.com (8.17.1.19/8.17.1.19) with ESMTP id 42Q0Iqs1031198; Mon, 25 Mar 2024 21:08:24 -0400
Received: from email.msg.corp.akamai.com ([172.27.50.206]) by prod-mail-ppoint8.akamai.com (PPS) with ESMTPS id 3x1tdyc8q8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 25 Mar 2024 21:08:24 -0400
Received: from ustx2ex-dag4mb4.msg.corp.akamai.com (172.27.50.203) by ustx2ex-dag4mb7.msg.corp.akamai.com (172.27.50.206) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28; Mon, 25 Mar 2024 18:08:23 -0700
Received: from ustx2ex-dag4mb4.msg.corp.akamai.com ([172.27.50.203]) by ustx2ex-dag4mb4.msg.corp.akamai.com ([172.27.50.203]) with mapi id 15.02.1258.028; Mon, 25 Mar 2024 18:08:23 -0700
From: "Salz, Rich" <rsalz@akamai.com>
To: Alan DeKok <aland@deployingradius.com>
CC: "uta@ietf.org" <uta@ietf.org>
Thread-Topic: [Uta] Comments as draft-rsalz-uta-require-tls13
Thread-Index: AQHafqBI8lUE/2sMiUKl+cPkfcbHj7FJXlUAgABLb4D//793AA==
Date: Tue, 26 Mar 2024 01:08:23 +0000
Message-ID: <6A843FE5-8F25-40B8-B2FD-75EC1BB03767@akamai.com>
References: <3E6241EB-24CB-4B42-9B7F-7AB32DCC290C@deployingradius.com> <6BD396CD-E223-4A90-8E84-D99C6EAB5F08@akamai.com> <9FD21A85-4778-445D-8129-29C5F50EA081@deployingradius.com>
In-Reply-To: <9FD21A85-4778-445D-8129-29C5F50EA081@deployingradius.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.81.24012814
x-originating-ip: [172.27.118.139]
Content-Type: text/plain; charset="utf-8"
Content-ID: <F8E9C03991E7984497BFD7248A987F4F@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-03-25_26,2024-03-21_02,2023-05-22_02
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 spamscore=0 adultscore=0 suspectscore=0 mlxlogscore=999 phishscore=0 mlxscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2403210000 definitions=main-2403260005
X-Proofpoint-ORIG-GUID: P9CF8VHTbA0BtrdexKcBoUpMQZ5xyh66
X-Proofpoint-GUID: P9CF8VHTbA0BtrdexKcBoUpMQZ5xyh66
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-03-25_26,2024-03-21_02,2023-05-22_02
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 mlxlogscore=974 priorityscore=1501 phishscore=0 spamscore=0 impostorscore=0 malwarescore=0 lowpriorityscore=0 clxscore=1015 bulkscore=0 suspectscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2403210001 definitions=main-2403260005
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/XF1SMU2trHj3CJVHROvLlq_q7F8>
Subject: Re: [Uta] Comments as draft-rsalz-uta-require-tls13
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2024 01:08:36 -0000

>> I think in all but special cases specifying just the minimum is fine. The only reason I can think of for specifying the max version is that you have regulatory/compliance issues to comply with.

> We ran into this in EMU with EAP-TLS. The EAP application derived application-specific keys based on TLS key exporter constructs. Those constructs changed with TLS 1.3, and all of the code which supported "TLS 1.2 or higher" broke in weird ways.

Wow, thanks for that.

v2.23.0 | Report a Bug | By Email