* Thank you for the data-driven approach, but it definitely doesn't match other reports The TLS 1.3 adoption document you reference seems to be based solely on Web browser data:
Browser Percentage of TLS 1.3 Chrome 30% Firefox 27% Safari 27% My numbers come from the Windows TLS stack telemetry. Windows releases with TLS 1.3 support (Server 2022, Windows 11 and later) use a 3rd-party TLS stack for the in-box Web browser. So the Windows TLS stack telemetry does not include Web browser connections. This is client and server apps (native, .NET, Modern, etc.), Web and other services, file services, RDP, e-mail, industrial systems... Some Web service connections, but also all other things besides/beyond the Web. A mix of Internet and various private and public sector networks. * Maybe it means TLS 1.2 /could/ be negotiated for 99% of connections? The data shows that TLS 1.2 was in fact negotiated 98-99% of the time. Either because a TLS peer did not support TLS 1.3, or an app programmatically disabled TLS 1.3, or a system admin disabled TLS 1.3. It's a long discussion about the reasons, but at the moment we see 98-99% of the connections negotiating TLS 1.2. Overall, our telemetry shows that TLS 1.3 usage is growing (BTW, QUIC usage is included in my TLS 1.3 numbers). It's just nowhere near TLS 1.2 usage at the moment. From: Rob Sayre <say...@gmail.com> Sent: Thursday, July 14, 2022 10:25 AM To: Andrei Popov <andrei.po...@microsoft.com> Cc: Peter Gutmann <pgut...@cs.auckland.ac.nz>; Peter Saint-Andre <stpe...@stpeter.im>; Benjamin Kaduk <ka...@mit.edu>; sec...@ietf.org; draft-ietf-uta-rfc7525bis....@ietf.org; last-c...@ietf.org; uta@ietf.org Subject: [EXTERNAL] Re: [Uta] [Last-Call] Secdir telechat review of draft-ietf-uta-rfc7525bis-09 On Thu, Jul 14, 2022 at 10:12 AM Andrei Popov <andrei.po...@microsoft.com<mailto:andrei.po...@microsoft.com>> wrote: Speaking of PCs and servers: I took a look at Windows TLS stack telemetry (only including those OS versions that support TLS 1.3). TLS 1.2 is negotiated for 99% of the TLS server connections and 98% of the TLS client connections using Windows TLS stack. TLS 1.3 use amounts to 0.4% of TLS server connections and just under 2% of TLS client connections. Thank you for the data-driven approach, but it definitely doesn't match other reports. Maybe it means TLS 1.2 /could/ be negotiated for 99% of connections? Here is a 2019 document from the IETF: https://www.ietf.org/blog/tls13-adoption/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fblog%2Ftls13-adoption%2F&data=05%7C01%7CAndrei.Popov%40microsoft.com%7Cbeac8a37740347b3289c08da65bdd8c0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637934163474960631%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=ZQTIoGNvUKr7%2BhMuXkmN7yDsPiN%2F2gZW0f%2FD1mJLRZ4%3D&reserved=0> thanks, Rob Cheers, Andrei -----Original Message----- From: Uta <uta-boun...@ietf.org<mailto:uta-boun...@ietf.org>> On Behalf Of Peter Gutmann Sent: Wednesday, July 13, 2022 8:07 PM To: Rob Sayre <say...@gmail.com<mailto:say...@gmail.com>>; Peter Saint-Andre <stpe...@stpeter.im<mailto:stpe...@stpeter.im>> Cc: Benjamin Kaduk <ka...@mit.edu<mailto:ka...@mit.edu>>; sec...@ietf.org<mailto:sec...@ietf.org>; draft-ietf-uta-rfc7525bis....@ietf.org<mailto:draft-ietf-uta-rfc7525bis....@ietf.org>; last-c...@ietf.org<mailto:last-c...@ietf.org>; uta@ietf.org<mailto:uta@ietf.org> Subject: [EXTERNAL] Re: [Uta] [Last-Call] Secdir telechat review of draft-ietf-uta-rfc7525bis-09 Rob Sayre <say...@gmail.com<mailto:say...@gmail.com>> writes: >Also, in the realm of opinion rather than correctness: mandating TLS >1.2 support is misguided. Every TLS implementation maintains divided >codebases for 1.2 vs 1.3. On desktop PCs and servers perhaps, but in embedded the very fact that you need two sets of codebases means many systems will stay with 1.2, possibly forever when everything around them is also staying with 1.2. >No one reads the TLS 1.2 code very closely these days, in my >experience, so the BCP would be mandating support for something people >don't really work on anymore. Unless the only codebase you've got is 1.2. However in the same embedded systems you typically do it once, do it right, and skip the neverending flow of bells and whistles that keep appearing, so there's no need to constantly fiddle with the code as for PC/server use. Peter. _______________________________________________ Uta mailing list Uta@ietf.org<mailto:Uta@ietf.org> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Futa&data=05%7C01%7CAndrei.Popov%40microsoft.com%7Ce00ddaa9c29c46256bcf08da65461b37%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637933649036169526%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=KdWkJBgZZYtqmqbNTu58h6cXqB7eq3o%2B65rEEu5eo%2BE%3D&reserved=0<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Futa&data=05%7C01%7CAndrei.Popov%40microsoft.com%7Cbeac8a37740347b3289c08da65bdd8c0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637934163474960631%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=7UnJ4KxCx3HAl474kkfHcSYMAxbWPHoOt2h%2FowgG09o%3D&reserved=0>
_______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
