Hi Eliot, Thanks for raising your concern. I’ll note that I first started working on this because a well deployed library already had plans to drop support for versions 1.0 and 1.1 in their next release. Customers that wanted those versions would have to use a prior library. This history may help.
Best regards, Kathleen Sent from my mobile device > On Nov 28, 2020, at 10:26 AM, Stephen Farrell <stephen.farr...@cs.tcd.ie> > wrote: > > > Hi Eliot, > >> On 28/11/2020 10:45, Eliot Lear wrote: >> Hi there IESG >> I support the intent of this document, and I think the approach to >> update the various documents listed is the right one. > > Cool. > >> Because of the breadth of documents updated, I wonder if at least >> some implementation guidance is warranted, in order to assist >> developers and even perhaps administrators. Perhaps in some cases >> these are compile-time or even run time options. I’d suggest >> guidance for common libraries, such as Microsoft .NET, OpenSSL, >> GNUTLS, and WolfSSL. Better to give that guidance to get people to >> TLS 1.3 rather than 1.2, of course. Even informational references >> would be fine, as assuredly some of this guidance exists. > > Text welcomed of course, but I think it's mostly a case of > doing the s/w update for the library and then either waiting > 'till the library developer defaults to TLSv1.2 or better, or > else various config file or API options that don't differ > that much from library to library. I can check it out before > we're done (again, text welcome if someone else wants to do > that), but not sure it'll be that useful in the end TBH. > (I'll get back when I get to doing that.) > > Cheers, > S. > >> Thanks, >> Eliot >>>> On 9 Nov 2020, at 23:26, The IESG <iesg-secret...@ietf.org> wrote: >>> The IESG has received a request from the Transport Layer Security >>> WG (tls) to consider the following document: - 'Deprecating TLSv1.0 >>> and TLSv1.1' <draft-ietf-tls-oldversions-deprecate-09.txt> as Best >>> Current Practice >>> The IESG plans to make a decision in the next few weeks, and >>> solicits final comments on this action. Please send substantive >>> comments to the last-c...@ietf.org mailing lists by 2020-11-30. >>> Exceptionally, comments may be sent to i...@ietf.org instead. In >>> either case, please retain the beginning of the Subject line to >>> allow automated sorting. >>> Abstract >>> This document, if approved, formally deprecates Transport Layer Security >>> (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346). Accordingly, those >>> documents (will be moved|have been moved) to Historic status. These >>> versions lack support for current and recommended cryptographic algorithms >>> and mechanisms, and various government and industry profiles of >>> applications using TLS now mandate avoiding these old TLS versions. >>> TLSv1.2 has been the recommended version for IETF protocols since 2008, >>> providing sufficient time to transition away from older versions. Removing >>> support for older versions from implementations reduces the attack surface, >>> reduces opportunity for misconfiguration, and streamlines library and >>> product maintenance. >>> This document also deprecates Datagram TLS (DTLS) version 1.0 (RFC6347), >>> but not DTLS version 1.2, and there is no DTLS version 1.1. >>> This document updates many RFCs that normatively refer to TLSv1.0 >>> or TLSv1.1 as described herein. This document also updates the >>> best practices for TLS usage in RFC 7525 and hence is part of >>> BCP195. >>> The file can be obtained via >>> https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/ >>> >>> >>> >>> > No IPR declarations have been submitted directly on this I-D. >>> The document contains these normative downward references. See RFC >>> 3967 for additional information: rfc5024: ODETTE File Transfer >>> Protocol 2.0 (Informational - Independent Submission Editor >>> stream) rfc5024: ODETTE File Transfer Protocol 2.0 (Informational - >>> Independent Submission Editor stream) rfc5023: The Atom Publishing >>> Protocol (Proposed Standard - IETF stream) rfc5019: The Lightweight >>> Online Certificate Status Protocol (OCSP) Profile for High-Volume >>> Environments (Proposed Standard - IETF stream) rfc5019: The >>> Lightweight Online Certificate Status Protocol (OCSP) Profile for >>> High-Volume Environments (Proposed Standard - IETF stream) rfc5018: >>> Connection Establishment in the Binary Floor Control Protocol >>> (BFCP) (Proposed Standard - IETF stream) rfc4992: XML Pipelining >>> with Chunks for the Internet Registry Information Service (Proposed >>> Standard - IETF stream) rfc4992: XML Pipelining with Chunks for the >>> Internet Registry Information Service (Proposed Standard - IETF >>> stream) rfc4976: Relay Extensions for the Message Sessions Relay >>> Protocol (MSRP) (Proposed Standard - IETF stream) rfc4975: The >>> Message Session Relay Protocol (MSRP) (Proposed Standard - IETF >>> stream) rfc4975: The Message Session Relay Protocol (MSRP) >>> (Proposed Standard - IETF stream) rfc4964: The P-Answer-State >>> Header Extension to the Session Initiation Protocol for the Open >>> Mobile Alliance Push to Talk over Cellular (Informational - IETF >>> stream) rfc4964: The P-Answer-State Header Extension to the Session >>> Initiation Protocol for the Open Mobile Alliance Push to Talk over >>> Cellular (Informational - IETF stream) rfc4851: The Flexible >>> Authentication via Secure Tunneling Extensible Authentication >>> Protocol Method (EAP-FAST) (Informational - IETF stream) rfc4851: >>> The Flexible Authentication via Secure Tunneling Extensible >>> Authentication Protocol Method (EAP-FAST) (Informational - IETF >>> stream) rfc4823: FTP Transport for Secure Peer-to-Peer Business >>> Data Interchange over the Internet (Informational - IETF stream) rfc4823: >>> FTP Transport for Secure Peer-to-Peer Business Data >>> Interchange over the Internet (Informational - IETF stream) rfc4791: >>> Calendaring Extensions to WebDAV (CalDAV) (Proposed >>> Standard - IETF stream) rfc4791: Calendaring Extensions to WebDAV >>> (CalDAV) (Proposed Standard - IETF stream) rfc4785: Pre-Shared Key >>> (PSK) Ciphersuites with NULL Encryption for Transport Layer >>> Security (TLS) (Proposed Standard - IETF stream) rfc4785: >>> Pre-Shared Key (PSK) Ciphersuites with NULL Encryption for >>> Transport Layer Security (TLS) (Proposed Standard - IETF stream) rfc4744: >>> Using the NETCONF Protocol over the Blocks Extensible >>> Exchange Protocol (BEEP) (Historic - IETF stream) rfc4744: Using >>> the NETCONF Protocol over the Blocks Extensible Exchange Protocol >>> (BEEP) (Historic - IETF stream) rfc4743: Using NETCONF over the >>> Simple Object Access Protocol (SOAP) (Historic - IETF stream) rfc4743: >>> Using NETCONF over the Simple Object Access Protocol >>> (SOAP) (Historic - IETF stream) rfc4732: Internet Denial-of-Service >>> Considerations (Informational - IAB stream) rfc4732: Internet >>> Denial-of-Service Considerations (Informational - IAB stream) rfc4712: >>> Transport Mappings for Real-time Application >>> Quality-of-Service Monitoring (RAQMON) Protocol Data Unit (PDU) >>> (Proposed Standard - IETF stream) rfc4712: Transport Mappings for >>> Real-time Application Quality-of-Service Monitoring (RAQMON) >>> Protocol Data Unit (PDU) (Proposed Standard - IETF stream) rfc4681: >>> TLS User Mapping Extension (Proposed Standard - IETF stream) rfc4680: TLS >>> Handshake Message for Supplemental Data (Proposed >>> Standard - IETF stream) rfc4680: TLS Handshake Message for >>> Supplemental Data (Proposed Standard - IETF stream) rfc4642: Using >>> Transport Layer Security (TLS) with Network News Transfer Protocol >>> (NNTP) (Proposed Standard - IETF stream) rfc4642: Using Transport >>> Layer Security (TLS) with Network News Transfer Protocol (NNTP) >>> (Proposed Standard - IETF stream) rfc4616: The PLAIN Simple >>> Authentication and Security Layer (SASL) Mechanism (Proposed >>> Standard - IETF stream) rfc4616: The PLAIN Simple Authentication >>> and Security Layer (SASL) Mechanism (Proposed Standard - IETF >>> stream) rfc4582: The Binary Floor Control Protocol (BFCP) (Proposed >>> Standard - IETF stream) rfc4582: The Binary Floor Control Protocol >>> (BFCP) (Proposed Standard - IETF stream) rfc4540: NEC's Simple >>> Middlebox Configuration (SIMCO) Protocol Version 3.0 (Experimental >>> - Independent Submission Editor stream) rfc4540: NEC's Simple >>> Middlebox Configuration (SIMCO) Protocol Version 3.0 (Experimental >>> - Independent Submission Editor stream) rfc4531: Lightweight >>> Directory Access Protocol (LDAP) Turn Operation (Experimental - >>> IETF stream) rfc4513: Lightweight Directory Access Protocol (LDAP): >>> Authentication Methods and Security Mechanisms (Proposed Standard - >>> IETF stream) rfc3436: Transport Layer Security over Stream Control >>> Transmission Protocol (Proposed Standard - IETF stream) rfc3436: >>> Transport Layer Security over Stream Control Transmission Protocol >>> (Proposed Standard - IETF stream) rfc3329: Security Mechanism >>> Agreement for the Session Initiation Protocol (SIP) (Proposed >>> Standard - IETF stream) rfc3329: Security Mechanism Agreement for >>> the Session Initiation Protocol (SIP) (Proposed Standard - IETF >>> stream) rfc3261: SIP: Session Initiation Protocol (Proposed >>> Standard - IETF stream) rfc3261: SIP: Session Initiation Protocol >>> (Proposed Standard - IETF stream) rfc2246: The TLS Protocol Version >>> 1.0 (Proposed Standard - IETF stream) rfc6749: The OAuth 2.0 >>> Authorization Framework (Proposed Standard - IETF stream) rfc6739: >>> Synchronizing Service Boundaries and <mapping> Elements Based on >>> the Location-to-Service Translation (LoST) Protocol (Experimental - >>> IETF stream) rfc6739: Synchronizing Service Boundaries and >>> <mapping> Elements Based on the Location-to-Service Translation >>> (LoST) Protocol (Experimental - IETF stream) rfc6367: Addition of >>> the Camellia Cipher Suites to Transport Layer Security (TLS) >>> (Informational - IETF stream) rfc6367: Addition of the Camellia >>> Cipher Suites to Transport Layer Security (TLS) (Informational - >>> IETF stream) rfc6176: Prohibiting Secure Sockets Layer (SSL) >>> Version 2.0 (Proposed Standard - IETF stream) rfc6176: Prohibiting >>> Secure Sockets Layer (SSL) Version 2.0 (Proposed Standard - IETF >>> stream) rfc6042: Transport Layer Security (TLS) Authorization Using >>> KeyNote (Informational - Independent Submission Editor stream) rfc5878: >>> Transport Layer Security (TLS) Authorization Extensions >>> (Experimental - IETF stream) rfc5469: DES and IDEA Cipher Suites >>> for Transport Layer Security (TLS) (Informational - IETF stream) rfc5469: >>> DES and IDEA Cipher Suites for Transport Layer Security >>> (TLS) (Informational - IETF stream) rfc5422: Dynamic Provisioning >>> Using Flexible Authentication via Secure Tunneling Extensible >>> Authentication Protocol (EAP-FAST) (Informational - IETF stream) rfc5422: >>> Dynamic Provisioning Using Flexible Authentication via >>> Secure Tunneling Extensible Authentication Protocol (EAP-FAST) >>> (Informational - IETF stream) rfc5364: Extensible Markup Language >>> (XML) Format Extension for Representing Copy Control Attributes in >>> Resource Lists (Proposed Standard - IETF stream) rfc5364: >>> Extensible Markup Language (XML) Format Extension for Representing >>> Copy Control Attributes in Resource Lists (Proposed Standard - IETF >>> stream) rfc5281: Extensible Authentication Protocol Tunneled >>> Transport Layer Security Authenticated Protocol Version 0 >>> (EAP-TTLSv0) (Informational - IETF stream) rfc5281: Extensible >>> Authentication Protocol Tunneled Transport Layer Security >>> Authenticated Protocol Version 0 (EAP-TTLSv0) (Informational - IETF >>> stream) rfc5263: Session Initiation Protocol (SIP) Extension for >>> Partial Notification of Presence Information (Proposed Standard - >>> IETF stream) rfc5263: Session Initiation Protocol (SIP) Extension >>> for Partial Notification of Presence Information (Proposed Standard >>> - IETF stream) rfc5238: Datagram Transport Layer Security (DTLS) >>> over the Datagram Congestion Control Protocol (DCCP) (Proposed >>> Standard - IETF stream) rfc5216: The EAP-TLS Authentication >>> Protocol (Proposed Standard - IETF stream) rfc5216: The EAP-TLS >>> Authentication Protocol (Proposed Standard - IETF stream) rfc5158: >>> 6to4 Reverse DNS Delegation Specification (Informational - IETF >>> stream) rfc5091: Identity-Based Cryptography Standard (IBCS) #1: >>> Supersingular Curve Implementations of the BF and BB1 Cryptosystems >>> (Informational - IETF stream) rfc5054: Using the Secure Remote >>> Password (SRP) Protocol for TLS Authentication (Informational - >>> IETF stream) rfc5054: Using the Secure Remote Password (SRP) >>> Protocol for TLS Authentication (Informational - IETF stream) rfc5049: >>> Applying Signaling Compression (SigComp) to the Session >>> Initiation Protocol (SIP) (Proposed Standard - IETF stream) rfc3501: >>> INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1 (Proposed >>> Standard - IETF stream) rfc3501: INTERNET MESSAGE ACCESS PROTOCOL - >>> VERSION 4rev1 (Proposed Standard - IETF stream) rfc4346: The >>> Transport Layer Security (TLS) Protocol Version 1.1 (Proposed >>> Standard - IETF stream) rfc2246: The TLS Protocol Version 1.0 >>> (Proposed Standard - IETF stream) rfc4346: The Transport Layer >>> Security (TLS) Protocol Version 1.1 (Proposed Standard - IETF >>> stream) rfc4279: Pre-Shared Key Ciphersuites for Transport Layer >>> Security (TLS) (Proposed Standard - IETF stream) rfc4261: Common >>> Open Policy Service (COPS) Over Transport Layer Security (TLS) >>> (Proposed Standard - IETF stream) rfc4235: An INVITE-Initiated >>> Dialog Event Package for the Session Initiation Protocol (SIP) >>> (Proposed Standard - IETF stream) rfc4235: An INVITE-Initiated >>> Dialog Event Package for the Session Initiation Protocol (SIP) >>> (Proposed Standard - IETF stream) rfc4217: Securing FTP with TLS >>> (Proposed Standard - IETF stream) rfc4168: The Stream Control >>> Transmission Protocol (SCTP) as a Transport for the Session >>> Initiation Protocol (SIP) (Proposed Standard - IETF stream) rfc4162: >>> Addition of SEED Cipher Suites to Transport Layer Security >>> (TLS) (Proposed Standard - IETF stream) rfc4111: Security Framework >>> for Provider-Provisioned Virtual Private Networks (PPVPNs) >>> (Informational - IETF stream) rfc4097: Middlebox Communications >>> (MIDCOM) Protocol Evaluation (Informational - IETF stream) rfc4097: >>> Middlebox Communications (MIDCOM) Protocol Evaluation >>> (Informational - IETF stream) rfc3983: Using the Internet Registry >>> Information Service (IRIS) over the Blocks Extensible Exchange >>> Protocol (BEEP) (Proposed Standard - IETF stream) rfc3943: >>> Transport Layer Security (TLS) Protocol Compression Using >>> Lempel-Ziv-Stac (LZS) (Informational - IETF stream) rfc3903: >>> Session Initiation Protocol (SIP) Extension for Event State >>> Publication (Proposed Standard - IETF stream) rfc6749: The OAuth >>> 2.0 Authorization Framework (Proposed Standard - IETF stream) rfc3887: >>> Message Tracking Query Protocol (Proposed Standard - IETF >>> stream) rfc3871: Operational Security Requirements for Large >>> Internet Service Provider (ISP) IP Network Infrastructure >>> (Informational - IETF stream) rfc3871: Operational Security >>> Requirements for Large Internet Service Provider (ISP) IP Network >>> Infrastructure (Informational - IETF stream) rfc3856: A Presence >>> Event Package for the Session Initiation Protocol (SIP) (Proposed >>> Standard - IETF stream) rfc3767: Securely Available Credentials >>> Protocol (Proposed Standard - IETF stream) rfc3749: Transport Layer >>> Security Protocol Compression Methods (Proposed Standard - IETF >>> stream) rfc3749: Transport Layer Security Protocol Compression >>> Methods (Proposed Standard - IETF stream) rfc3656: The Mailbox >>> Update (MUPDATE) Distributed Mailbox Database Protocol >>> (Experimental - Independent Submission Editor stream) rfc3568: >>> Known Content Network (CN) Request-Routing Mechanisms >>> (Informational - IETF stream) rfc6750: The OAuth 2.0 Authorization >>> Framework: Bearer Token Usage (Proposed Standard - IETF stream) rfc6750: >>> The OAuth 2.0 Authorization Framework: Bearer Token Usage >>> (Proposed Standard - IETF stream) rfc7030: Enrollment over Secure >>> Transport (Proposed Standard - IETF stream) rfc7030: Enrollment >>> over Secure Transport (Proposed Standard - IETF stream) rfc7465: >>> Prohibiting RC4 Cipher Suites (Proposed Standard - IETF stream) rfc7465: >>> Prohibiting RC4 Cipher Suites (Proposed Standard - IETF >>> stream) rfc7507: TLS Fallback Signaling Cipher Suite Value (SCSV) >>> for Preventing Protocol Downgrade Attacks (Proposed Standard - IETF >>> stream) rfc7507: TLS Fallback Signaling Cipher Suite Value (SCSV) >>> for Preventing Protocol Downgrade Attacks (Proposed Standard - IETF >>> stream) rfc7562: Transport Layer Security (TLS) Authorization Using >>> Digital Transmission Content Protection (DTCP) Certificates >>> (Informational - Independent Submission Editor stream) rfc7562: >>> Transport Layer Security (TLS) Authorization Using Digital >>> Transmission Content Protection (DTCP) Certificates (Informational >>> - Independent Submission Editor stream) rfc7568: Deprecating Secure >>> Sockets Layer Version 3.0 (Proposed Standard - IETF stream) rfc7568: >>> Deprecating Secure Sockets Layer Version 3.0 (Proposed >>> Standard - IETF stream) rfc8422: Elliptic Curve Cryptography (ECC) >>> Cipher Suites for Transport Layer Security (TLS) Versions 1.2 and >>> Earlier (Proposed Standard - IETF stream) rfc8422: Elliptic Curve >>> Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) >>> Versions 1.2 and Earlier (Proposed Standard - IETF stream) >>> _______________________________________________ IETF-Announce >>> mailing list ietf-annou...@ietf.org >>> https://www.ietf.org/mailman/listinfo/ietf-announce >> _______________________________________________ TLS mailing list >> TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls > <OpenPGP_0x5AB2FAF17B172BEA.asc> _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
