On Mon, Jul 9, 2018 at 8:54 PM, Eric Rescorla <e...@rtfm.com> wrote: > Thanks for writing this. > > I would be in favor of deprecating old versions of TLS prior to 1.2. Firefox > Telemetry shows that about 1% of our connections are TLS 1.1 (on the same > data set, TLS 1.3 is > 5%), and TLS 1.1 is negligible. > > This is probably a higher number than we'd be comfortable turning off > immediately, but it is probably worth starting the process. >
I'm also in favour. Many banks/instituion in developing countries are moving to deprecate tls v1.0 and tls v1.1. As I commented on github: SSLpulse shows how many top websites support tls 1.2 (92.8%) and this number is increasing (0.5%): https://www.ssllabs.com/ssl-pulse/ KeyCDN and digicert have also announced their intentions to deprecate tls 1.0 and tls 1.1. https://github.com/sftcd/tls-oldversions-diediedie/commit/a0d6c160d922bd7f52a917884823114c90932291 > -Ekr > > > On Mon, Jul 9, 2018 at 9:40 AM, Kathleen Moriarty > <kathleen.moriarty.i...@gmail.com> wrote: >> >> Hello, >> >> Stephen and I posted the draft below to see if the TLS working group >> is ready to take steps to deprecate TLSv1.0 and TLSv1.1. There has >> been a recent drop off in usage for web applications due to the PCI >> Council recommendation to move off TLSv1.0, with a recommendation to >> go to TLSv1.2 by June 30th. NIST has also been recommending TLSv1.2 >> as a baseline. Applications other than those using HTTP may not have >> had the same reduction in usage. If you are responsible for services >> where you have a reasonable vantage point to gather and share >> statistics to assess usage further, that could be helpful for the >> discussion. We've received some feedback that has been incorporated >> into the working draft and feelers in general have been positive. It >> would be good to know if there are any show stoppers that have not >> been considered. >> >> https://github.com/sftcd/tls-oldversions-diediedie >> >> Thanks in advance, >> Kathleen >> >> >> ---------- Forwarded message ---------- >> From: <internet-dra...@ietf.org> >> Date: Mon, Jun 18, 2018 at 3:05 PM >> Subject: New Version Notification for >> draft-moriarty-tls-oldversions-diediedie-00.txt >> To: Stephen Farrell <stephen.farr...@cs.tcd.ie>, Kathleen Moriarty >> <kathleen.moriarty.i...@gmail.com> >> >> >> >> A new version of I-D, draft-moriarty-tls-oldversions-diediedie-00.txt >> has been successfully submitted by Stephen Farrell and posted to the >> IETF repository. >> >> Name: draft-moriarty-tls-oldversions-diediedie >> Revision: 00 >> Title: Deprecating TLSv1.0 and TLSv1.1 >> Document date: 2018-06-18 >> Group: Individual Submission >> Pages: 10 >> URL: >> >> https://www.ietf..org/internet-drafts/draft-moriarty-tls-oldversions-diediedie-00.txt >> >> Status: >> https://datatracker.ietf.org/doc/draft-moriarty-tls-oldversions-diediedie/ >> Htmlized: >> https://tools.ietf.org/html/draft-moriarty-tls-oldversions-diediedie-00 >> Htmlized: >> >> https://datatracker.ietf.org/doc/html/draft-moriarty-tls-oldversions-diediedie >> >> >> Abstract: >> This document [if approved] formally deprecates Transport Layer >> Security (TLS) versions 1.0 [RFC2246] and 1.1 [RFC4346] and moves >> these documents to the historic state. These versions lack support >> for current and recommended cipher suites, and various government and >> industry profiiles of applications using TLS now mandate avoiding >> these old TLS versions. TLSv1.2 has been the recommended version for >> IETF protocols since 2008, providing sufficient time to transition >> away from older versions. Products having to support older versions >> increase the attack surface unnecessarily and increase opportunities >> for misconfigurations. Supporting these older versions also requires >> additional effort for library and product maintenance. >> >> This document updates the backward compatibility sections of TLS RFCs >> [[list TBD]] to prohibit fallback to TLSv1.0 and TLSv1.1. This >> document also updates RFC 7525. >> >> >> >> >> Please note that it may take a couple of minutes from the time of >> submission >> until the htmlized version and diff are available at tools.ietf.org. >> >> The IETF Secretariat >> >> >> >> -- >> >> Best regards, >> Kathleen >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
