Hi all,

I don’t think that we should consider saying that TLS 1.2 (or a variant) is an 
okay and safe choice for the next 10+ years while this protocol will not 
receive post-quantum security updates (if we stick with “no PQ for TLS 1.2”). I 
realize that integrating PQC in a “LTS” deployment might not be feasible/stable 
enough at this moment, but I fear that putting out a “TLS-LTS” gives people 
“permission" to ossify on non-PQC (as it will not be backported) for a 
considerable amount of time longer.
For this reason, and the same reasons as stated by Eric, Nick and Watson, I am 
against adoption of this document (or at least in this form). There may be 
contents of this document that we might consider extracting 

Cheers,

Thom

> Op 6 nov 2024, om 06:45 heeft Eric Rescorla <e...@rtfm.com> het volgende 
> geschreven:
> 
> I am against adoption. 
> 
> As Nick and Watson note, this is not just a profile of TLS 1.2 but is rather 
> a set of negotiated with a new extension code point, i.e., it's effectively a 
> new version of TLS with as yet only lightly analyzed security properties. We 
> already have a new version of TLS which has been heavily analyzed and widely 
> deployed, namely TLS 1.3.
> 
> There's nothing stopping people deploying this if they want to and in fact 
> there is already a code point assigned. However, the TLS WG should not take 
> up this work.
> 
> -Ekr
> 
> On Tue, Nov 5, 2024 at 1:21 PM Arnaud Taddei 
> <arnaud.taddei=40broadcom....@dmarc.ietf.org 
> <mailto:40broadcom....@dmarc.ietf.org>> wrote:
>> I do support the adoption of this draft. 
>> 
>> This draft is a very good product and the details and care that this draft 
>> exhibits is in itself a testimony of someone who has a real production 
>> experience, is realistic and pragmatic. 
>> 
>> There is a big difference between 
>>      patching an endpoint to a variation of TLS1.2 which is meant to work in 
>> a ’TLS1.2 designed environment” 
>> Vs 
>>      patching an endpoint to TLS1.3 in an environment that was ’TLS1.2 
>> designed environment’
>> 
>> If the organisation that needs to manage a security risk is given a choice 
>> of 
>> 1) Patch to TLS-LTS
>> 2) Patch to TLS1.3 
>> 
>> Any risk manager is going to ask the qualification of the implications on 
>> both and the result will be that 1) will be far less intrusive and risky 
>> than 2)
>> 
>> Moreover the bench-test platform that the solution needs to go through to 
>> prove its production readiness may not be able to support TLS1.3 at all.
>> 
>> Not adopting this draft leaves only one choice to any customer with no 
>> guarantees that the patching to TLS1.3 will work in its TLS1.2 designed 
>> end-to-end environment at a manageable time, cost and ‘go to production’ or 
>> ‘go to market’ time, and risk.
>> 
>> Worse, it could have unanticipated consequences like breaking compliancy to 
>> regulations, to safety and I can just imagine how it could move the risks 
>> from bits and bytes to blood and flesh.
>> 
>> My 0.02 Swiss francs
>> 
>> Arnaud Taddei
>> Global Security Strategist | Enterprise Security Group
>> 
>> mobile: +41 79 506 1129 
>> Geneva, Switzerland
>> arnaud.tad...@broadcom.com <mailto:arnaud.tad...@broadcom.com> | 
>> broadcom.com <http://broadcom.com/>
>> 
>>> On 5 Nov 2024, at 19:48, Nick Harper <i...@nharper.org 
>>> <mailto:i...@nharper.org>> wrote:
>>> 
>>> I understand the stated goal of this draft to be to provide a way for 
>>> hard-to-update endpoints to keep using TLS 1.2 in a secure way. The idea of 
>>> a document that describes how to safely deploy TLS 1.2 sounds like a good 
>>> idea, e.g. "use only these cipher suites, require EMS and RI, etc". This 
>>> draft is not that.
>>> 
>>> This draft makes changes to the TLS handshake protocol, which undermines 
>>> the goal of supporting hard-to-update endpoints. The two changes made to 
>>> the protocol are also addressed by RFC 8446. If endpoints need to be 
>>> updated to support TLS-LTS, it would make more sense to update them to 
>>> support TLS 1.3 than TLS-LTS.
>>> 
>>> The rationale section (3.7) of the draft presents two reasons for using 
>>> TLS-LTS over TLS 1.3. The first is the slow deployment cadence of a new 
>>> protocol. LTS requires a change to the protocol and deployment of that new 
>>> change, no different from 1.3. The second reason is fear of the unknown in 
>>> 1.3: "TLS 1.3 is an almost entirely new protocol. As such, it rolls back 
>>> the 20 years of experience that we have with all the things that can go 
>>> wrong in TLS". The 20 years of all the things that can go wrong in TLS were 
>>> due to unsound cryptographic decisions. The research and analysis that 
>>> found those 20 years of issues was applied to the design of 1.3 to avoid 
>>> making the same mistakes. 1.3 doesn't roll back that experience, and we now 
>>> have over 8 years of experience with 1.3.
>>> 
>>> I do not support adoption of the draft in this format. If the draft made no 
>>> changes to the TLS 1.2 protocol and were deployable only through 
>>> configuration changes (e.g. a fixed list of cipher suites and extensions), 
>>> I would probably support it.
>>> 
>>> On Tue, Nov 5, 2024 at 11:02 AM Salz, Rich 
>>> <rsalz=40akamai....@dmarc.ietf.org <mailto:40akamai....@dmarc.ietf.org>> 
>>> wrote:
>>>> I strongly support adoption.
>>>> 
>>>> I do not understand why anyone would be opposed to the IETF making 
>>>> deployment recommendations. I can understand why someone might be bothered 
>>>> by the impliciation that *THIS ONE WAY* is the only way to get long-term 
>>>> support, especially if it's seen to contradict our encouragement of TLS 
>>>> 1.3. But that is an editorial issue that can be easily fixed.
>>>> 
>>>> I would like to see this adopted, a short change cycle, and then advanced 
>>>> in the same cluster with our TLS 1.2 is frozen document.
>>>> 
>>>> 
>>>> _______________________________________________
>>>> TLS mailing list -- tls@ietf.org <mailto:tls@ietf.org>
>>>> To unsubscribe send an email to tls-le...@ietf.org 
>>>> <mailto:tls-le...@ietf.org>
>>> _______________________________________________
>>> TLS mailing list -- tls@ietf.org <mailto:tls@ietf.org>
>>> To unsubscribe send an email to tls-le...@ietf.org 
>>> <mailto:tls-le...@ietf.org>
>> 
>> 
>> This electronic communication and the information and any files transmitted 
>> with it, or attached to it, are confidential and are intended solely for the 
>> use of the individual or entity to whom it is addressed and may contain 
>> information that is confidential, legally privileged, protected by privacy 
>> laws, or otherwise restricted from disclosure to anyone else. If you are not 
>> the intended recipient or the person responsible for delivering the e-mail 
>> to the intended recipient, you are hereby notified that any use, copying, 
>> distributing, dissemination, forwarding, printing, or copying of this e-mail 
>> is strictly prohibited. If you received this e-mail in error, please return 
>> the e-mail to the sender, delete it from your computer, and destroy any 
>> printed copy of it._______________________________________________
>> TLS mailing list -- tls@ietf.org <mailto:tls@ietf.org>
>> To unsubscribe send an email to tls-le...@ietf.org 
>> <mailto:tls-le...@ietf.org>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-le...@ietf.org

_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org

Reply via email to