Re: [Last-Call] [TLS] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Hi Eliot,

On 28/11/2020 10:45, Eliot Lear wrote:
Hi there IESG

I support the intent of this document, and I think the approach to
update the various documents listed is the right one.

Cool.

Because of the breadth of documents updated, I wonder if at least
some implementation guidance is warranted, in order to assist
developers and even perhaps administrators.  Perhaps in some cases
these are compile-time or even run time options.  I’d suggest
guidance for common libraries, such as Microsoft .NET, OpenSSL,
GNUTLS, and WolfSSL. Better to give that guidance to get people to
TLS 1.3 rather than 1.2, of course.  Even informational references
would be fine, as assuredly some of this guidance exists.

Text welcomed of course, but I think it's mostly a case of
doing the s/w update for the library and then either waiting
'till the library developer defaults to TLSv1.2 or better, or
else various config file or API options that don't differ
that much from library to library. I can check it out before
we're done (again, text welcome if someone else wants to do
that), but not sure it'll be that useful in the end TBH.
(I'll get back when I get to doing that.)

Cheers,
S.


Thanks,

Eliot




On 9 Nov 2020, at 23:26, The IESG <iesg-secretary@xxxxxxxx> wrote:


The IESG has received a request from the Transport Layer Security
WG (tls) to consider the following document: - 'Deprecating TLSv1.0
and TLSv1.1' <draft-ietf-tls-oldversions-deprecate-09.txt> as Best
Current Practice

The IESG plans to make a decision in the next few weeks, and
solicits final comments on this action. Please send substantive
comments to the last-call@xxxxxxxx mailing lists by 2020-11-30.
Exceptionally, comments may be sent to iesg@xxxxxxxx instead. In
either case, please retain the beginning of the Subject line to
allow automated sorting.

Abstract


This document, if approved, formally deprecates Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346). Accordingly, those documents (will be moved|have been moved) to Historic status. These versions lack support for current and recommended cryptographic algorithms and mechanisms, and various government and industry profiles of applications using TLS now mandate avoiding these old TLS versions. TLSv1.2 has been the recommended version for IETF protocols since 2008, providing sufficient time to transition away from older versions. Removing support for older versions from implementations reduces the attack surface, reduces opportunity for misconfiguration, and streamlines library and product maintenance.

This document also deprecates Datagram TLS (DTLS) version 1.0 (RFC6347), but not DTLS version 1.2, and there is no DTLS version 1.1.

This document updates many RFCs that normatively refer to TLSv1.0
or TLSv1.1 as described herein.  This document also updates the
best practices for TLS usage in RFC 7525 and hence is part of
BCP195.




The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/





No IPR declarations have been submitted directly on this I-D.


The document contains these normative downward references. See RFC
3967 for additional information: rfc5024: ODETTE File Transfer
Protocol 2.0 (Informational - Independent Submission Editor
stream) rfc5024: ODETTE File Transfer Protocol 2.0 (Informational -
Independent Submission Editor stream) rfc5023: The Atom Publishing
Protocol (Proposed Standard - IETF stream) rfc5019: The Lightweight
Online Certificate Status Protocol (OCSP) Profile for High-Volume
Environments (Proposed Standard - IETF stream) rfc5019: The
Lightweight Online Certificate Status Protocol (OCSP) Profile for
High-Volume Environments (Proposed Standard - IETF stream) rfc5018:
Connection Establishment in the Binary Floor Control Protocol
(BFCP) (Proposed Standard - IETF stream) rfc4992: XML Pipelining
with Chunks for the Internet Registry Information Service (Proposed
Standard - IETF stream) rfc4992: XML Pipelining with Chunks for the
Internet Registry Information Service (Proposed Standard - IETF
stream) rfc4976: Relay Extensions for the Message Sessions Relay
Protocol (MSRP) (Proposed Standard - IETF stream) rfc4975: The
Message Session Relay Protocol (MSRP) (Proposed Standard - IETF
stream) rfc4975: The Message Session Relay Protocol (MSRP)
(Proposed Standard - IETF stream) rfc4964: The P-Answer-State
Header Extension to the Session Initiation Protocol for the Open
Mobile Alliance Push to Talk over Cellular (Informational - IETF
stream) rfc4964: The P-Answer-State Header Extension to the Session
Initiation Protocol for the Open Mobile Alliance Push to Talk over
Cellular (Informational - IETF stream) rfc4851: The Flexible
Authentication via Secure Tunneling Extensible Authentication
Protocol Method (EAP-FAST) (Informational - IETF stream) rfc4851:
The Flexible Authentication via Secure Tunneling Extensible
Authentication Protocol Method (EAP-FAST) (Informational - IETF
stream) rfc4823: FTP Transport for Secure Peer-to-Peer Business
Data Interchange over the Internet (Informational - IETF stream) rfc4823: FTP Transport for Secure Peer-to-Peer Business Data Interchange over the Internet (Informational - IETF stream) rfc4791: Calendaring Extensions to WebDAV (CalDAV) (Proposed
Standard - IETF stream) rfc4791: Calendaring Extensions to WebDAV
(CalDAV) (Proposed Standard - IETF stream) rfc4785: Pre-Shared Key
(PSK) Ciphersuites with NULL Encryption for Transport Layer
Security (TLS) (Proposed Standard - IETF stream) rfc4785:
Pre-Shared Key (PSK) Ciphersuites with NULL Encryption for
Transport Layer Security (TLS) (Proposed Standard - IETF stream) rfc4744: Using the NETCONF Protocol over the Blocks Extensible
Exchange Protocol (BEEP) (Historic - IETF stream) rfc4744: Using
the NETCONF Protocol over the Blocks Extensible Exchange Protocol
(BEEP) (Historic - IETF stream) rfc4743: Using NETCONF over the
Simple Object Access Protocol (SOAP) (Historic - IETF stream) rfc4743: Using NETCONF over the Simple Object Access Protocol
(SOAP) (Historic - IETF stream) rfc4732: Internet Denial-of-Service
Considerations (Informational - IAB stream) rfc4732: Internet
Denial-of-Service Considerations (Informational - IAB stream) rfc4712: Transport Mappings for Real-time Application
Quality-of-Service Monitoring (RAQMON) Protocol Data Unit (PDU)
(Proposed Standard - IETF stream) rfc4712: Transport Mappings for
Real-time Application Quality-of-Service Monitoring (RAQMON)
Protocol Data Unit (PDU) (Proposed Standard - IETF stream) rfc4681:
TLS User Mapping Extension (Proposed Standard - IETF stream) rfc4680: TLS Handshake Message for Supplemental Data (Proposed
Standard - IETF stream) rfc4680: TLS Handshake Message for
Supplemental Data (Proposed Standard - IETF stream) rfc4642: Using
Transport Layer Security (TLS) with Network News Transfer Protocol
(NNTP) (Proposed Standard - IETF stream) rfc4642: Using Transport
Layer Security (TLS) with Network News Transfer Protocol (NNTP)
(Proposed Standard - IETF stream) rfc4616: The PLAIN Simple
Authentication and Security Layer (SASL) Mechanism (Proposed
Standard - IETF stream) rfc4616: The PLAIN Simple Authentication
and Security Layer (SASL) Mechanism (Proposed Standard - IETF
stream) rfc4582: The Binary Floor Control Protocol (BFCP) (Proposed
Standard - IETF stream) rfc4582: The Binary Floor Control Protocol
(BFCP) (Proposed Standard - IETF stream) rfc4540: NEC's Simple
Middlebox Configuration (SIMCO) Protocol Version 3.0 (Experimental
- Independent Submission Editor stream) rfc4540: NEC's Simple
Middlebox Configuration (SIMCO) Protocol Version 3.0 (Experimental
- Independent Submission Editor stream) rfc4531: Lightweight
Directory Access Protocol (LDAP) Turn Operation (Experimental -
IETF stream) rfc4513: Lightweight Directory Access Protocol (LDAP):
Authentication Methods and Security Mechanisms (Proposed Standard -
IETF stream) rfc3436: Transport Layer Security over Stream Control
Transmission Protocol (Proposed Standard - IETF stream) rfc3436:
Transport Layer Security over Stream Control Transmission Protocol
(Proposed Standard - IETF stream) rfc3329: Security Mechanism
Agreement for the Session Initiation Protocol (SIP) (Proposed
Standard - IETF stream) rfc3329: Security Mechanism Agreement for
the Session Initiation Protocol (SIP) (Proposed Standard - IETF
stream) rfc3261: SIP: Session Initiation Protocol (Proposed
Standard - IETF stream) rfc3261: SIP: Session Initiation Protocol
(Proposed Standard - IETF stream) rfc2246: The TLS Protocol Version
1.0 (Proposed Standard - IETF stream) rfc6749: The OAuth 2.0
Authorization Framework (Proposed Standard - IETF stream) rfc6739:
Synchronizing Service Boundaries and <mapping> Elements Based on
the Location-to-Service Translation (LoST) Protocol (Experimental -
IETF stream) rfc6739: Synchronizing Service Boundaries and
<mapping> Elements Based on the Location-to-Service Translation
(LoST) Protocol (Experimental - IETF stream) rfc6367: Addition of
the Camellia Cipher Suites to Transport Layer Security (TLS)
(Informational - IETF stream) rfc6367: Addition of the Camellia
Cipher Suites to Transport Layer Security (TLS) (Informational -
IETF stream) rfc6176: Prohibiting Secure Sockets Layer (SSL)
Version 2.0 (Proposed Standard - IETF stream) rfc6176: Prohibiting
Secure Sockets Layer (SSL) Version 2.0 (Proposed Standard - IETF
stream) rfc6042: Transport Layer Security (TLS) Authorization Using
KeyNote (Informational - Independent Submission Editor stream) rfc5878: Transport Layer Security (TLS) Authorization Extensions
(Experimental - IETF stream) rfc5469: DES and IDEA Cipher Suites
for Transport Layer Security (TLS) (Informational - IETF stream) rfc5469: DES and IDEA Cipher Suites for Transport Layer Security
(TLS) (Informational - IETF stream) rfc5422: Dynamic Provisioning
Using Flexible Authentication via Secure Tunneling Extensible
Authentication Protocol (EAP-FAST) (Informational - IETF stream) rfc5422: Dynamic Provisioning Using Flexible Authentication via
Secure Tunneling Extensible Authentication Protocol (EAP-FAST)
(Informational - IETF stream) rfc5364: Extensible Markup Language
(XML) Format Extension for Representing Copy Control Attributes in
Resource Lists (Proposed Standard - IETF stream) rfc5364:
Extensible Markup Language (XML) Format Extension for Representing
Copy Control Attributes in Resource Lists (Proposed Standard - IETF
stream) rfc5281: Extensible Authentication Protocol Tunneled
Transport Layer Security Authenticated Protocol Version 0
(EAP-TTLSv0) (Informational - IETF stream) rfc5281: Extensible
Authentication Protocol Tunneled Transport Layer Security
Authenticated Protocol Version 0 (EAP-TTLSv0) (Informational - IETF
stream) rfc5263: Session Initiation Protocol (SIP) Extension for
Partial Notification of Presence Information (Proposed Standard -
IETF stream) rfc5263: Session Initiation Protocol (SIP) Extension
for Partial Notification of Presence Information (Proposed Standard
- IETF stream) rfc5238: Datagram Transport Layer Security (DTLS)
over the Datagram Congestion Control Protocol (DCCP) (Proposed
Standard - IETF stream) rfc5216: The EAP-TLS Authentication
Protocol (Proposed Standard - IETF stream) rfc5216: The EAP-TLS
Authentication Protocol (Proposed Standard - IETF stream) rfc5158:
6to4 Reverse DNS Delegation Specification (Informational - IETF
stream) rfc5091: Identity-Based Cryptography Standard (IBCS) #1:
Supersingular Curve Implementations of the BF and BB1 Cryptosystems
(Informational - IETF stream) rfc5054: Using the Secure Remote
Password (SRP) Protocol for TLS Authentication (Informational -
IETF stream) rfc5054: Using the Secure Remote Password (SRP)
Protocol for TLS Authentication (Informational - IETF stream) rfc5049: Applying Signaling Compression (SigComp) to the Session Initiation Protocol (SIP) (Proposed Standard - IETF stream) rfc3501: INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1 (Proposed
Standard - IETF stream) rfc3501: INTERNET MESSAGE ACCESS PROTOCOL -
VERSION 4rev1 (Proposed Standard - IETF stream) rfc4346: The
Transport Layer Security (TLS) Protocol Version 1.1 (Proposed
Standard - IETF stream) rfc2246: The TLS Protocol Version 1.0
(Proposed Standard - IETF stream) rfc4346: The Transport Layer
Security (TLS) Protocol Version 1.1 (Proposed Standard - IETF
stream) rfc4279: Pre-Shared Key Ciphersuites for Transport Layer
Security (TLS) (Proposed Standard - IETF stream) rfc4261: Common
Open Policy Service (COPS) Over Transport Layer Security (TLS)
(Proposed Standard - IETF stream) rfc4235: An INVITE-Initiated
Dialog Event Package for the Session Initiation Protocol (SIP)
(Proposed Standard - IETF stream) rfc4235: An INVITE-Initiated
Dialog Event Package for the Session Initiation Protocol (SIP)
(Proposed Standard - IETF stream) rfc4217: Securing FTP with TLS
(Proposed Standard - IETF stream) rfc4168: The Stream Control
Transmission Protocol (SCTP) as a Transport for the Session
Initiation Protocol (SIP) (Proposed Standard - IETF stream) rfc4162: Addition of SEED Cipher Suites to Transport Layer Security
(TLS) (Proposed Standard - IETF stream) rfc4111: Security Framework
for Provider-Provisioned Virtual Private Networks (PPVPNs)
(Informational - IETF stream) rfc4097: Middlebox Communications
(MIDCOM) Protocol Evaluation (Informational - IETF stream) rfc4097:
Middlebox Communications (MIDCOM) Protocol Evaluation
(Informational - IETF stream) rfc3983: Using the Internet Registry
Information Service (IRIS) over the Blocks Extensible Exchange
Protocol (BEEP) (Proposed Standard - IETF stream) rfc3943:
Transport Layer Security (TLS) Protocol Compression Using
Lempel-Ziv-Stac (LZS) (Informational - IETF stream) rfc3903:
Session Initiation Protocol (SIP) Extension for Event State
Publication (Proposed Standard - IETF stream) rfc6749: The OAuth
2.0 Authorization Framework (Proposed Standard - IETF stream) rfc3887: Message Tracking Query Protocol (Proposed Standard - IETF
stream) rfc3871: Operational Security Requirements for Large
Internet Service Provider (ISP) IP Network Infrastructure
(Informational - IETF stream) rfc3871: Operational Security
Requirements for Large Internet Service Provider (ISP) IP Network
Infrastructure (Informational - IETF stream) rfc3856: A Presence
Event Package for the Session Initiation Protocol (SIP) (Proposed
Standard - IETF stream) rfc3767: Securely Available Credentials
Protocol (Proposed Standard - IETF stream) rfc3749: Transport Layer
Security Protocol Compression Methods (Proposed Standard - IETF
stream) rfc3749: Transport Layer Security Protocol Compression
Methods (Proposed Standard - IETF stream) rfc3656: The Mailbox
Update (MUPDATE) Distributed Mailbox Database Protocol
(Experimental - Independent Submission Editor stream) rfc3568:
Known Content Network (CN) Request-Routing Mechanisms
(Informational - IETF stream) rfc6750: The OAuth 2.0 Authorization
Framework: Bearer Token Usage (Proposed Standard - IETF stream) rfc6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage
(Proposed Standard - IETF stream) rfc7030: Enrollment over Secure
Transport (Proposed Standard - IETF stream) rfc7030: Enrollment
over Secure Transport (Proposed Standard - IETF stream) rfc7465:
Prohibiting RC4 Cipher Suites (Proposed Standard - IETF stream) rfc7465: Prohibiting RC4 Cipher Suites (Proposed Standard - IETF
stream) rfc7507: TLS Fallback Signaling Cipher Suite Value (SCSV)
for Preventing Protocol Downgrade Attacks (Proposed Standard - IETF
stream) rfc7507: TLS Fallback Signaling Cipher Suite Value (SCSV)
for Preventing Protocol Downgrade Attacks (Proposed Standard - IETF
stream) rfc7562: Transport Layer Security (TLS) Authorization Using
Digital Transmission Content Protection (DTCP) Certificates
(Informational - Independent Submission Editor stream) rfc7562:
Transport Layer Security (TLS) Authorization Using Digital
Transmission Content Protection (DTCP) Certificates (Informational
- Independent Submission Editor stream) rfc7568: Deprecating Secure
Sockets Layer Version 3.0 (Proposed Standard - IETF stream) rfc7568: Deprecating Secure Sockets Layer Version 3.0 (Proposed
Standard - IETF stream) rfc8422: Elliptic Curve Cryptography (ECC)
Cipher Suites for Transport Layer Security (TLS) Versions 1.2 and
Earlier (Proposed Standard - IETF stream) rfc8422: Elliptic Curve
Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)
Versions 1.2 and Earlier (Proposed Standard - IETF stream)




_______________________________________________ IETF-Announce
mailing list IETF-Announce@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf-announce


_______________________________________________ TLS mailing list TLS@xxxxxxxx https://www.ietf.org/mailman/listinfo/tls

Attachment: OpenPGP_0x5AB2FAF17B172BEA.asc
Description: application/pgp-keys

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux