IETF Logo Mail Archive

Re: [Uta] Robert Wilton's Discuss on draft-ietf-uta-rfc7525bis-09: (with DISCUSS and COMMENT)

Martin Thomson <mt@lowentropy.net> Mon, 18 July 2022 16:15 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A313CC13C51E; Mon, 18 Jul 2022 09:15:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=Snl3Z2AB; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=uNLBJtp3
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HIu56OngTKRv; Mon, 18 Jul 2022 09:15:41 -0700 (PDT)
Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30B7DC13C522; Mon, 18 Jul 2022 09:15:40 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 68D26320093A; Mon, 18 Jul 2022 12:15:39 -0400 (EDT)
Received: from imap41 ([10.202.2.91]) by compute3.internal (MEProxy); Mon, 18 Jul 2022 12:15:40 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:cc:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to; s=fm1; t=1658160938; x=1658247338; bh=4e VWTRwUZkRrXWyAVdUDWScW+LyMststkL6vFRHyCUM=; b=Snl3Z2ABni2hR2P4T3 VWwNNUWfUSn1FyYzJeaUsKlidKxLISDccd5Ockhh+3XDtuy3HbBPTk44QrgfCVWE a8H+YUAjJuzP163VmBFPS1eZ5XZRCx/WW+6wVjMc9vZBJQVCfzv1SyioYQ6QVai3 Fa3XxCE86Xr0kgoqv7JeVnIXyN/Wn8lz338cZxurIQTnTMhVB10eBw0nn82MmqgV y3GSlfnubR7MpoFbmZ078oJrC8z+83r7Z15rMjGrctYCEiqb12fEYfbHOnduXT/9 lRk44R4xWQnygjTCcQik2fGzPuJsdBUskuqRzDnphyGAsnsEjrAl7NxCYg5e48+S 6VFQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; t=1658160938; x=1658247338; bh=4eVWTRwUZkRrXWyAVdUDWScW+LyM ststkL6vFRHyCUM=; b=uNLBJtp3WhAoYrt8LOYpFz+bWnNgCR46DXaYLzTlozFP v8k1J6L6c89wtTw+HVmKos2tgZBAw5w6QwrOGLhkrDGF+Pt2a/eQ/RWBWsXtmeov z9fUo7/aM6qwGXs1IPWJhSzAnAyR0gdjTDSOAmdzqVAV4GhmJh1+gIDY4B+DOqlD p+eMJDDORN2QoX9G4A1G2qqQMCh8zkOWnp+i+ALg6vITSrgEFbD6Qoon6s0b4Tbw wVPW45Ze7S1tzU5AvU9jhyXrf2SoaR1P1FFWqsov3+08TGmrdc7DlvffscI9l2RS rtubZTXG285GKzePp7y5CG0QfC5Jwel+W6LWob5rWw==
X-ME-Sender: <xms:KofVYrK_C2EtVxml_oa78EBBU1zNxJLgULwaXxFTwoq9VVU6fex9mA> <xme:KofVYvKmSDyblAV8DE49YcdxM11yB57n7w2a-dhXrmesKwennDZv9F3RDgK5UTa3t kuh6eDrFFYLKTQ_CNc>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrudekkedgleeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvfevufgtsehttdertderredtnecuhfhrohhmpedfofgr rhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhhofigvnhhtrhhophihrdhnvghtqeenuc ggtffrrghtthgvrhhnpeduleeufedthfegieeiieekkeejvdejgfevudffgeefvdffleev feekudeiieekleenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfh hrohhmpehmtheslhhofigvnhhtrhhophihrdhnvght
X-ME-Proxy: <xmx:KofVYjvZZKsD2k8xPywV37-83uhRt9urkupIHQrbU91jNeOI4Ipp3g> <xmx:KofVYkbsYkZF0vcACv3gbwOQq5TMvTICcnKZNbMI57nYltvHVAE5mA> <xmx:KofVYiZCMZkCrW6izAR-o68dG5_UO_cPwxOcfocfHUT2WMbaho29HA> <xmx:KofVYpXztwMbiS0R7N_fgJSlmAPXmFlGKNGQ8R0MR2Eqe42_qapjVQ>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 505BF234007E; Mon, 18 Jul 2022 12:15:38 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.7.0-alpha0-755-g3e1da8b93f-fm-20220708.002-g3e1da8b9
Mime-Version: 1.0
Message-Id: <627d8e8d-9c89-4d6c-a941-e0f861d2528f@www.fastmail.com>
In-Reply-To: <BY5PR11MB41965634F7B81CEC361DA771B58C9@BY5PR11MB4196.namprd11.prod.outlook.com>
References: <165779144446.10023.16857085823147739769@ietfa.amsl.com> <799e5773-9fa4-b06a-38d1-138c43c5cfd9@stpeter.im> <BY5PR11MB4196858D743ADDF0058AEEF6B58B9@BY5PR11MB4196.namprd11.prod.outlook.com> <aef823f3-f3ab-4b17-811e-45bbcadce342@stpeter.im> <e91c06c6-037e-4ffd-ad17-37879df24e1b@www.fastmail.com> <BY5PR11MB41965634F7B81CEC361DA771B58C9@BY5PR11MB4196.namprd11.prod.outlook.com>
Date: Mon, 18 Jul 2022 17:15:17 +0100
From: Martin Thomson <mt@lowentropy.net>
To: "Rob Wilton (rwilton)" <rwilton@cisco.com>, Peter Saint-Andre <stpeter@stpeter.im>, The IESG <iesg@ietf.org>
Cc: "draft-ietf-uta-rfc7525bis@ietf.org" <draft-ietf-uta-rfc7525bis@ietf.org>, "uta-chairs@ietf.org" <uta-chairs@ietf.org>, "uta@ietf.org" <uta@ietf.org>, "leifj@sunet.se" <leifj@sunet.se>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/lj7ddhisRhP_HNMTeIbFnzPNlqQ>
Subject: Re: [Uta] Robert Wilton's Discuss on draft-ietf-uta-rfc7525bis-09: (with DISCUSS and COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jul 2022 16:15:46 -0000

On Mon, Jul 18, 2022, at 15:34, Rob Wilton (rwilton) wrote:
> I completely get wanting the interop, but the MUST implement TLS 1.2 
> still feels too strong given that AIUI, one of the reasons for TLS 1.3 
> was to help mitigate some of the security issues that turned up in TLS 
> 1.2.  It feels reasonable to me for a server deployment to decide that 
> they will only support TLS 1.3 because it is easier to deploy securely, 
> placing the requirement on the client to also support TLS 1.3 for 
> successful interop.

There is potentially room here for a "MUST...unless" shape to the document.  I am not aware of any that do this currently, but a few years ago some websites dropped support for TLS 1.0 and 1.1 because they could be confident that browsers supported TLS 1.2.  Or at least all those they cared about did.  You might be able to conclude the same for TLS 1.3 today.

But I don't think that you can drop TLS 1.2 today without some care and that approach is not really generally applicable.

v2.23.0 | Report a Bug | By Email