Re: [Uta] Adoption call for draft-sheffer-uta-rfc7525bis-00

Eric Rescorla <ekr@rtfm.com> Fri, 01 May 2020 22:49 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 413783A174F for <uta@ietfa.amsl.com>; Fri, 1 May 2020 15:49:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LI5TBIvtZO2Y for <uta@ietfa.amsl.com>; Fri, 1 May 2020 15:49:17 -0700 (PDT)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94E4B3A1747 for <uta@ietf.org>; Fri, 1 May 2020 15:49:17 -0700 (PDT)
Received: by mail-lj1-x229.google.com with SMTP id f11so4028704ljp.1 for <uta@ietf.org>; Fri, 01 May 2020 15:49:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iRv6R0KgGV9RF4pZ99wAp7+/9MJ8LIbTnoNhkaSM42k=; b=zCIjJmHACgnP4h32YpKPQgze/NddMtwNEwd7wWd1BzHoQqZv0JzIVuUUIlIeUtEV1U jwJrvTuV344KPu8thSLkcFxKRztmxQrAGivRrVcrqK9YQ/I9BAtY90e/vDJaYZPpUGhS pCiiE66cu9u0xc+8aVDgUgn9fS+uW3ifoG8NiyUBAtBAwWasHSTA4cBMZaHPTYE1NjNE a7cpWrVvMpfNow8GmEuUYf4vJGRPDM3JKApjBrEzeuZZs508pAYE2Xh8JRCsa6Fx3RHq DInL76i9zNK+0cHShNh0BFs2WP4rzNnHyFUG5TJn94xGguP3emtnZzYuDE4X88wsntmn NBGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iRv6R0KgGV9RF4pZ99wAp7+/9MJ8LIbTnoNhkaSM42k=; b=bbXqqEbCOhvEKgrU/GRBKVHJvSqY2PKKFGKkx41FGD9rmshqTgVitwHyeYmbbl3LWj tVobrv8ItZlS2ps0ZE53Ooiq8HhzERpq6/lj90ZNxkJ3v280BcL7F01LGjAiOZ+eCxoV x7uwkK4AI6moQMa5DqStXD+7qh5/cBjNgwi5cwEAKan+5mWHz3pEwhcrkuRHfln9zj51 Vufm2np+8TTKrTHRe3IR2GD1rnveSUjrCR9xMrHu13tB9G4StIboEwh5uvIxDwFrwroZ iM+7lfOp/uAfU9MTvjaxDE0tlJP7NYlPPDSr2/IIK9XET5bteF2gmSl2c1BVjKmILFhP X9Jg==
X-Gm-Message-State: AGi0PuZqRN5wnX+Ym+ZaHzZwo1glkSRxXYQgBRFJAximESZQSTXjNHSU w7xVC2TJjGbujqYhZs8+CzsKAbpWm5IDgFJVbsgtGSwEBMA=
X-Google-Smtp-Source: APiQypI0NAt6nd7vrSsIeP+csJv4VuF/GsQGyDk5lLv8d4AMcpjuqjvcW7WCyDc+ZhwH1g+7s2Dzm1fgpBjO2EQ0EQ8=
X-Received: by 2002:a2e:99ca:: with SMTP id l10mr3638030ljj.274.1588373355789; Fri, 01 May 2020 15:49:15 -0700 (PDT)
MIME-Version: 1.0
References: <004801d61bae$08a61590$19f240b0$@smyslov.net> <dfe39508-b37a-f008-91d3-cb36bcb84ae1@network-heretics.com>
In-Reply-To: <dfe39508-b37a-f008-91d3-cb36bcb84ae1@network-heretics.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 01 May 2020 15:48:39 -0700
Message-ID: <CABcZeBP0_Jq1v9j5pDL4Ne_+5CyXuimJq90MLGzNME9zoHh2bw@mail.gmail.com>
To: Keith Moore <moore@network-heretics.com>
Cc: uta@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a4bb0505a49dfd1a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/w51x7QY_uNWVauEsPY00WPhlwtU>
Subject: Re: [Uta] Adoption call for draft-sheffer-uta-rfc7525bis-00
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 May 2020 22:49:20 -0000

On Thu, Apr 30, 2020 at 7:59 PM Keith Moore <moore@network-heretics.com>
wrote:

> People do not always have the luxury of upgrading their clients and
> servers to versions that support the recent TLS.    Some legacy hardware
> has firmware that cannot be upgraded because no upgrades are
> available.   Service providers do not always have the leverage to insist
> that their customers upgrade, or the luxury of abandoning customers. etc.
>

Somewhat tangentially from the topic at hand: if you are running a piece of
hardware that cannot upgrade its TLS stack at all, you quite likely have a
number of serious unpatched vulnerabilities, and should reconsider whether
it is safe to have that hardware attached to the Internet. Of course, you
might be running some ESR software where you can only take security
releases, in which case this does not apply.



> I also think it's odd that there are recommendations like this that say
> "don't support TLS x.y" but say nothing about not supporting cleartext
> for protocols that still have a cleartext mode.  Even SSL 1.0 is
> probably better than cleartext (at least from a security perspective, if
> not from a support burden perspective) as long as it's not trusted to be
> secure.
>

While perhaps technically true, for the reasons above I believe this to be
irrelevant: TLS 1.2 is nearly 12 years old. At this point, any
implementation which does not support it should be presumed to be insecure
regardless of our opinion on the specific protocols it supports.

-Ekr