From: Benjamin Kaduk <bka...@akamai.com> Sent: 11 August 2020 18:06 On Wed, Aug 05, 2020 at 10:30:39AM +0000, tom petch wrote: > From: TLS <tls-boun...@ietf.org> on behalf of Christopher Wood > <c...@heapingbits.net> > Sent: 04 August 2020 19:16 > > The official minutes are now up: > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_minutes-2D108-2Dtls_&d=DwICAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=sssDLkeEEBWNIXmTsdpw8TZ3tAJx-Job4p1unc7rOhM&m=bJwecPEDnXCm7Huw2ovjHwHyzCjhyu2kGMG-qijduH0&s=ksaUzUpfyd4LFplcfnjfXdGBN-jTrMiqS2Z1vk_Iftw&e= > > <tp> > What is Benjamin talking about at the end? > > It looks as if you are proposing action on all or some RFC that have TLS 1.0 > or 1.1 as MTI, related to oldversions-deprecate but that is a guess from > reading between the lines and that topic is a live one for me so I would > appreciate clarity.
oldversions-deprecate is already taking action on all RFCs that have TLS 1.0 or 1.1 as MTI (there are some 80-odd documents in the Updates: header). The particular itesm I was mentioning in the meeting relate to various subsets of those documents that may need some additional handling on top of the basic "don't use TLS 1.0/1.1; use 1.2 and 1.3 instead" that is currently the content of the updates. Details are at https://mailarchive.ietf.org/arch/msg/tls/K9_uA6m0dD_oQCw-5kAbha-Kq5M/ So: - RFC 5469 defines DES and IDEA ciphers that are not in TLS 1.2; the document as a whole should be historic - The downgrade-detection SCSV of RFC 7507 is probably in a similar boat - We should be more clear about "if the document being updated says you MUST use TLS 1.0/1.1, that part is removed" <tp> Benjamin This is the bit I could not guess; the rest of the minutes I could guess but your explanation is much easier to understand. I have been tracking 'diediedie', including the AD review, since it first appeared and more a comment on that for Kathleen and Stephen is that RFC5953 does not get a mention although since it is Obsoleted and the Normative Reference is to RFC4347 then that is a category that does not seem to fit in any of the paragraphs of the I-D; Obsolete and TLS1.0 yes, Obsolete and DTLS1.0 no. RFC6353 I did expect to find; Internet Standard, STD0078, Normative Reference to RFC4347; the Security Considerations of that RFC say 'MUST NOT negotiate SSL 2.0' which might not be considered sufficiently strong for 2020 but how do you update a Standard? Tom Petch - No change proposed w.r.t. MTI ciphers (even though the old MTI ciphers are no longer considered very good) Were there additional specific items you were unsure about? -Ben _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
