If we're looking for precedent and support, the Canadian government recently (like in the last week or two) issued a policy requiring TLS 1.0 and 1.1 be disabled:
https://www.canada.ca/en/treasury-board-secretariat/services/information-technology/policy-implementation-notices/implementing-https-secure-web-connections-itpin.html It's effective immediately for new services, and has a deadline of September 30, 2019 for existing services. -- Eric On Mon, Jul 9, 2018 at 3:02 PM Loganaden Velvindron <logana...@gmail.com> wrote: > On Mon, Jul 9, 2018 at 8:54 PM, Eric Rescorla <e...@rtfm.com> wrote: > > Thanks for writing this. > > > > I would be in favor of deprecating old versions of TLS prior to 1.2. > Firefox > > Telemetry shows that about 1% of our connections are TLS 1.1 (on the same > > data set, TLS 1.3 is > 5%), and TLS 1.1 is negligible. > > > > This is probably a higher number than we'd be comfortable turning off > > immediately, but it is probably worth starting the process. > > > > I'm also in favour. Many banks/instituion in developing countries are > moving to deprecate tls v1.0 and tls v1.1. > > As I commented on github: > SSLpulse shows how many top websites support tls 1.2 (92.8%) and this > number is increasing (0.5%): > > https://www.ssllabs.com/ssl-pulse/ > > KeyCDN and digicert have also announced their intentions to deprecate > tls 1.0 and tls 1.1. > > > https://github.com/sftcd/tls-oldversions-diediedie/commit/a0d6c160d922bd7f52a917884823114c90932291 > > > > > -Ekr > > > > > > On Mon, Jul 9, 2018 at 9:40 AM, Kathleen Moriarty > > <kathleen.moriarty.i...@gmail.com> wrote: > >> > >> Hello, > >> > >> Stephen and I posted the draft below to see if the TLS working group > >> is ready to take steps to deprecate TLSv1.0 and TLSv1.1. There has > >> been a recent drop off in usage for web applications due to the PCI > >> Council recommendation to move off TLSv1.0, with a recommendation to > >> go to TLSv1.2 by June 30th. NIST has also been recommending TLSv1.2 > >> as a baseline. Applications other than those using HTTP may not have > >> had the same reduction in usage. If you are responsible for services > >> where you have a reasonable vantage point to gather and share > >> statistics to assess usage further, that could be helpful for the > >> discussion. We've received some feedback that has been incorporated > >> into the working draft and feelers in general have been positive. It > >> would be good to know if there are any show stoppers that have not > >> been considered. > >> > >> https://github.com/sftcd/tls-oldversions-diediedie > >> > >> Thanks in advance, > >> Kathleen > >> > >> > >> ---------- Forwarded message ---------- > >> From: <internet-dra...@ietf.org> > >> Date: Mon, Jun 18, 2018 at 3:05 PM > >> Subject: New Version Notification for > >> draft-moriarty-tls-oldversions-diediedie-00.txt > >> To: Stephen Farrell <stephen.farr...@cs.tcd.ie>, Kathleen Moriarty > >> <kathleen.moriarty.i...@gmail.com> > >> > >> > >> > >> A new version of I-D, draft-moriarty-tls-oldversions-diediedie-00.txt > >> has been successfully submitted by Stephen Farrell and posted to the > >> IETF repository. > >> > >> Name: draft-moriarty-tls-oldversions-diediedie > >> Revision: 00 > >> Title: Deprecating TLSv1.0 and TLSv1.1 > >> Document date: 2018-06-18 > >> Group: Individual Submission > >> Pages: 10 > >> URL: > >> > >> https://www.ietf. > .org/internet-drafts/draft-moriarty-tls-oldversions-diediedie-00.txt > >> > >> Status: > >> > https://datatracker.ietf.org/doc/draft-moriarty-tls-oldversions-diediedie/ > >> Htmlized: > >> https://tools.ietf.org/html/draft-moriarty-tls-oldversions-diediedie-00 > >> Htmlized: > >> > >> > https://datatracker.ietf.org/doc/html/draft-moriarty-tls-oldversions-diediedie > >> > >> > >> Abstract: > >> This document [if approved] formally deprecates Transport Layer > >> Security (TLS) versions 1.0 [RFC2246] and 1.1 [RFC4346] and moves > >> these documents to the historic state. These versions lack support > >> for current and recommended cipher suites, and various government and > >> industry profiiles of applications using TLS now mandate avoiding > >> these old TLS versions. TLSv1.2 has been the recommended version for > >> IETF protocols since 2008, providing sufficient time to transition > >> away from older versions. Products having to support older versions > >> increase the attack surface unnecessarily and increase opportunities > >> for misconfigurations. Supporting these older versions also requires > >> additional effort for library and product maintenance. > >> > >> This document updates the backward compatibility sections of TLS RFCs > >> [[list TBD]] to prohibit fallback to TLSv1.0 and TLSv1.1. This > >> document also updates RFC 7525. > >> > >> > >> > >> > >> Please note that it may take a couple of minutes from the time of > >> submission > >> until the htmlized version and diff are available at tools.ietf.org. > >> > >> The IETF Secretariat > >> > >> > >> > >> -- > >> > >> Best regards, > >> Kathleen > >> > >> _______________________________________________ > >> TLS mailing list > >> TLS@ietf.org > >> https://www.ietf.org/mailman/listinfo/tls > > > > > > > > _______________________________________________ > > TLS mailing list > > TLS@ietf.org > > https://www.ietf.org/mailman/listinfo/tls > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- konklone.com | @konklone <https://twitter.com/konklone>
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
