Re: [Last-Call] Last Call: Moving single-DES and IDEA TLS ciphersuites to Historic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This seems like a thin argument. These systems have had decades to be upgraded. If they weren’t upgraded before, why would they be now?

Also, anything that’s that deeply old is being operated by someone who can transfer the file to their modern mac and then ftp it over to the ancient iron.

And finally, we are deprecating the cipher suites. People in this situation can simple use old vulnerable software with the ancient ciphersuites on the update server. But this is a bad outcome because the update is now an attack vector. Better to use a secure browser and ftp for the last mile. 

> On Nov 16, 2020, at 14:48, Keith Moore <moore@xxxxxxxxxxxxxxxxxxxx> wrote:
> 
> On 11/10/20 1:02 PM, John C Klensin wrote:
> 
>> For all of the obvious reasons, I think reclassifying these
>> documents to historic is a good idea.  _However_ if we are
>> really trying to say "don't use these, they are obsolete and
>> unsafe" rather than just "no current specification refers to
>> them but do what you like", I believe that it would be better to
>> publish a short RFC explaining the issues with them rather than
>> simply making a datatracker note that points to a "supporting
>> document", particularly one that doesn't actually say much of
>> anything.
> 
> I agree that some sort of RFC is appropriate.   One of my growing concerns is that deprecating old TLS ciphersuites is breaking old systems that are still in use, and actually preventing them from having any of their software upgraded, because there are no web browsers that run on those systems that support the ciphersuites used by current servers.
> 
> So IMO, simply saying "don't use these" is NOT good advice, and instead the advice should be something like "treat these ciphersuites as if they were unencrypted connections".   I realize that this will make the purists uncomfortable, but I think the discussion needs to be had.
> 
> Keith
> 
> 
> -- 
> last-call mailing list
> last-call@xxxxxxxx
> https://www.ietf.org/mailman/listinfo/last-call

-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux