IETF Logo Mail Archive

Re: [Uta] [Last-Call] Secdir telechat review of draft-ietf-uta-rfc7525bis-09

Martin Thomson <mt@lowentropy.net> Thu, 14 July 2022 00:53 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F303EC16ECA6; Wed, 13 Jul 2022 17:53:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.127
X-Spam-Level:
X-Spam-Status: No, score=-2.127 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=bg4sEsyg; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=LnaxlieP
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O_2WtBLBdCtj; Wed, 13 Jul 2022 17:53:13 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8137DC159484; Wed, 13 Jul 2022 17:53:13 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id C70585C00BD; Wed, 13 Jul 2022 20:53:12 -0400 (EDT)
Received: from imap41 ([10.202.2.91]) by compute3.internal (MEProxy); Wed, 13 Jul 2022 20:53:12 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:cc:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to; s=fm1; t=1657759992; x=1657846392; bh=Y7 EZN6NUIt/pXCLJ90I4jZ9013voG3fXsEOxpigYGRc=; b=bg4sEsygVQ+NZU0BPJ wT7Hq94SjDVkMwV8q22LFeBVnQdAiOWfbMx0/9MgvR1vWdeb5N0eXU5y4ju7MMo0 Gk0aRfBFSURC/y/70JZgOaS+59+0x7t/KMdnQNJpIKENmjJ140n1/6wdLaGEAn9P 4RwMR6ks+BdA0X6xF+xVM2OsDyEas4LOK4jcP3eOu1PDO5c0/3Nlec+c7qjVaNqe UYdIZ82hbMyqEkzjLP3dmMk0eIkyDyZiEGTg4bSVQE/bchg6H5Suo+//rhVBn+em FjHF5pm2sU5oerXpavPKiBuWzFEPYzhoXCk3tyw5tp4XcHyJ9fP4oGTOwfKU+r5E Os3g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; t=1657759992; x=1657846392; bh=Y7EZN6NUIt/pXCLJ90I4jZ9013vo G3fXsEOxpigYGRc=; b=LnaxliePykm5TtT8WqLbAPJs+mI+3VLjN2xuwvOkbt9M M05s3kFaZ1LjKY/gjOm48T4Oc1ixFbgBvEyC6cFELfBqnjMKFJLu/j9GaXuB5tgh /i3RNceMJV/mCeOnQs+ikLgr15LNPwg7qBeKiS0qD1BC5FZnoB9VS5yxMUX92+1h nkvCn67yPpZ05Qt7op4J9RHK9pue+xQoPdlfneZ7HXzG7SOyeAzQaNpUdoN1ju2N g2G10TpydXC0agUNxwIcWfgI2h4gM3BPxp1fwCBbVg5IxCxbCsBVu9Jf4VjmtQXW G1PIAiPegakcRdQd1dJJDv5lCugUCbmSnplWmeg2og==
X-ME-Sender: <xms:-GjPYpGYoWj2dAPi50DDfvwlXkimIHyRMiOEOaaav-6wKPXe3vVerw> <xme:-GjPYuVXgmdmYJmvcKEx3STwB79xml3Um53eSwa-qXbpr0IETMIksxP45Te9tBuxi 3sBbUDXvZ0jrBWMbuo>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrudejkedgfeelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvfevufgtsehttdertderredtnecuhfhrohhmpedfofgr rhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhhofigvnhhtrhhophihrdhnvghtqeenuc ggtffrrghtthgvrhhnpeduleeufedthfegieeiieekkeejvdejgfevudffgeefvdffleev feekudeiieekleenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfh hrohhmpehmtheslhhofigvnhhtrhhophihrdhnvght
X-ME-Proxy: <xmx:-GjPYrKC88GFiNAU9V1ENEiemMZnIfjKVIvNRpcj5JhPL_XIXCPD2w> <xmx:-GjPYvH9FXm1ddnM4jkZGpGnvu8FtpE0PZsPmt25QeJHPSjASaJQ_A> <xmx:-GjPYvVp86Rj2Pe0kn4v82MZ4j8r_V4ojSf-4F7dGig7gqeAgE59BA> <xmx:-GjPYlfc2ElajuYg29HWA-eaGtRDrDzq06gYmnRw0svBGcNb637rfQ>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 7F7EA234007E; Wed, 13 Jul 2022 20:53:12 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.7.0-alpha0-755-g3e1da8b93f-fm-20220708.002-g3e1da8b9
Mime-Version: 1.0
Message-Id: <37eba8c7-57b6-4fcc-8bf1-5521ab82aeea@beta.fastmail.com>
In-Reply-To: <cd793161-3535-41f8-a6f3-ed5b160048c6@stpeter.im>
References: <165766858084.5251.12485129434316295805@ietfa.amsl.com> <b24e2934-200f-4f80-5261-aa2a977da39b@stpeter.im> <CAChr6Syq+uOTJsvqWuSustq_HdTaXCtDepyCuRWx+jGoEB06Fw@mail.gmail.com> <CAChr6SzkAmbjGK4XOwPkSwssLoG4NW1yG-6b2aFdFr43yF2zwQ@mail.gmail.com> <c516d0e4-f477-a4fb-2638-3615434f48f2@stpeter.im> <CAChr6SwgwknvgAycr6s=6tCRQZoZdiJxRXJpoTejEcW7g+bv=A@mail.gmail.com> <359BC9EA-FB6D-49E8-8CA6-AA395114838B@akamai.com> <cd793161-3535-41f8-a6f3-ed5b160048c6@stpeter.im>
Date: Thu, 14 Jul 2022 10:52:53 +1000
From: Martin Thomson <mt@lowentropy.net>
To: Peter Saint-Andre <stpeter@stpeter.im>, "Salz, Rich" <rsalz@akamai.com>, Rob Sayre <sayrer@gmail.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-uta-rfc7525bis.all@ietf.org" <draft-ietf-uta-rfc7525bis.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "uta@ietf.org" <uta@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/ZTGWSjjjuPSRbpbCXa4kxTDEcu4>
Subject: Re: [Uta] [Last-Call] Secdir telechat review of draft-ietf-uta-rfc7525bis-09
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jul 2022 00:53:19 -0000


On Thu, Jul 14, 2022, at 10:20, Peter Saint-Andre wrote:
> On 7/13/22 3:00 PM, Salz, Rich wrote:
>>   * It is definitely the "BCP" already--there are good reasons not to
>>     support TLS 1.2 on a server, and good reasons for clients not to
>>     connect to a server that negotiates it.
>> 
>> What are they?
>
> Good question.

I think we want to distinguish between "can" and "should".  There are servers that can reasonably not support TLS 1.2 now.  Most clients that are up to date will have TLS 1.3.  Those servers can disable TLS 1.2 and enjoy the benefit of using a more robust protocol.

However, I don't see the IETF being in a position yet where it can tell people not to use TLS 1.2.  There's a good protocol hidden in there still if you are careful.  More importantly, we still have people who have not been able to make a move. Note the careful distinction here between not able and not willing; the latter will start to be an excuse soon.

v2.23.0 | Report a Bug | By Email