draft-ietf-tls-oldversions-deprecate-08.txt   draft-ietf-tls-oldversions-deprecate-09.txt 
Internet Engineering Task Force K. Moriarty Internet Engineering Task Force K. Moriarty
Internet-Draft Dell EMC Internet-Draft Dell EMC
Obsoletes: 7507 (if approved) S. Farrell Obsoletes: 5469 7507 (if approved) S. Farrell
Updates: 8465 8422 8261 7568 7562 7525 Trinity College Dublin Updates: 8422 8261 7568 7562 7525 7465 Trinity College Dublin
7465 7030 6750 6749 6739 6460 October 14, 2020 7030 6750 6749 6739 6460 6614 November 9, 2020
6614 6367 6347 6176 6084 6083 6367 6347 6176 6084 6083 6042
6042 6012 5878 5734 5469 5456 6012 5878 5734 5456 5422 5415
5422 5415 5364 5281 5263 5238 5364 5281 5263 5238 5216 5158
5216 5158 5091 5054 5049 5024 5091 5054 5049 5024 5023 5019
5023 5019 5018 4992 4976 4975 5018 4992 4976 4975 4964 4851
4964 4851 4823 4791 4785 4744 4823 4791 4785 4744 4743 4732
4743 4732 4712 4681 4680 4642 4712 4681 4680 4642 4616 4582
4616 4582 4540 4531 4513 4497 4540 4531 4513 4497 4279 4261
4279 4261 4235 4217 4168 4162 4235 4217 4168 4162 4111 4097
4111 4097 3983 3943 3903 3887 3983 3943 3903 3887 3871 3856
3871 3856 3767 3749 3656 3568 3767 3749 3656 3568 3552 3501
3552 3501 3470 3436 3329 3261 3470 3436 3329 3261 (if
(if approved) approved)
Intended status: Best Current Practice Intended status: Best Current Practice
Expires: April 17, 2021 Expires: May 13, 2021
Deprecating TLSv1.0 and TLSv1.1 Deprecating TLSv1.0 and TLSv1.1
draft-ietf-tls-oldversions-deprecate-08 draft-ietf-tls-oldversions-deprecate-09
Abstract Abstract
This document, if approved, formally deprecates Transport Layer This document, if approved, formally deprecates Transport Layer
Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346). Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346).
Accordingly, those documents (will be moved|have been moved) to Accordingly, those documents (will be moved|have been moved) to
Historic status. These versions lack support for current and Historic status. These versions lack support for current and
recommended cryptographic algorithms and mechanisms, and various recommended cryptographic algorithms and mechanisms, and various
government and industry profiles of applications using TLS now government and industry profiles of applications using TLS now
mandate avoiding these old TLS versions. TLSv1.2 has been the mandate avoiding these old TLS versions. TLSv1.2 has been the
skipping to change at page 2, line 20 skipping to change at page 2, line 20
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 17, 2021. This Internet-Draft will expire on May 13, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 46 skipping to change at page 2, line 46
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. RFCs Updated . . . . . . . . . . . . . . . . . . . . . . 3 1.1. RFCs Updated . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5
2. Support for Deprecation . . . . . . . . . . . . . . . . . . . 5 2. Support for Deprecation . . . . . . . . . . . . . . . . . . . 5
3. SHA-1 Usage Problematic in TLSv1.0 and TLSv1.1 . . . . . . . 6 3. SHA-1 Usage Problematic in TLSv1.0 and TLSv1.1 . . . . . . . 6
4. Do Not Use TLSv1.0 . . . . . . . . . . . . . . . . . . . . . 6 4. Do Not Use TLSv1.0 . . . . . . . . . . . . . . . . . . . . . 6
5. Do Not Use TLSv1.1 . . . . . . . . . . . . . . . . . . . . . 7 5. Do Not Use TLSv1.1 . . . . . . . . . . . . . . . . . . . . . 7
6. Updates to RFC7525 . . . . . . . . . . . . . . . . . . . . . 7 6. Updates to RFC7525 . . . . . . . . . . . . . . . . . . . . . 8
7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
10.1. Normative References . . . . . . . . . . . . . . . . . . 9 10.1. Normative References . . . . . . . . . . . . . . . . . . 9
10.2. Informative References . . . . . . . . . . . . . . . . . 17 10.2. Informative References . . . . . . . . . . . . . . . . . 17
Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 21 Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23
1. Introduction 1. Introduction
Transport Layer Security (TLS) versions 1.0 [RFC2246] and 1.1 Transport Layer Security (TLS) versions 1.0 [RFC2246] and 1.1
[RFC4346] were superceded by TLSv1.2 [RFC5246] in 2008, which has now [RFC4346] were superceded by TLSv1.2 [RFC5246] in 2008, which has now
itself been superceded by TLSv1.3 [RFC8446]. Datagram Transport itself been superceded by TLSv1.3 [RFC8446]. Datagram Transport
Layer Security (DTLS) version 1.0 [RFC4347] was superceded by Layer Security (DTLS) version 1.0 [RFC4347] was superceded by
DTLSv1.2 [RFC6347] in 2012. It is therefore timely to further DTLSv1.2 [RFC6347] in 2012. It is therefore timely to further
deprecate these old versions. deprecate these old versions. Accordingly, those documents (will be
moved|have been moved) to Historic status.
Technical reasons for deprecating these versions include: Technical reasons for deprecating these versions include:
o They require implementation of older cipher suites that are no o They require implementation of older cipher suites that are no
longer desirable for cryptographic reasons, e.g., TLSv1.0 makes longer desirable for cryptographic reasons, e.g., TLSv1.0 makes
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA mandatory to implement TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA mandatory to implement
o Lack of support for current recommended cipher suites, especially o Lack of support for current recommended cipher suites, especially
AEAD ciphers which are not supported prior to TLSv1.2. Note: AEAD ciphers which are not supported prior to TLSv1.2. Note:
registry entries for no-longer-desirable ciphersuites remain in registry entries for no-longer-desirable ciphersuites remain in
the registries, but many TLS registries are being updated through the registries, but many TLS registries are being updated through
skipping to change at page 4, line 7 skipping to change at page 4, line 8
This document updates the following RFCs that normatively reference This document updates the following RFCs that normatively reference
TLSv1.0 or TLSv1.1 or DTLS1.0. The update is to obsolete usage of TLSv1.0 or TLSv1.1 or DTLS1.0. The update is to obsolete usage of
these older versions. Fallback to these versions are prohibited these older versions. Fallback to these versions are prohibited
through this update. Specific references to mandatory minimum through this update. Specific references to mandatory minimum
protocol versions of TLSv1.0 or TLSv1.1 are replaced by TLSv1.2, and protocol versions of TLSv1.0 or TLSv1.1 are replaced by TLSv1.2, and
references to minimum protocol version DTLSv1.0 are replaced by references to minimum protocol version DTLSv1.0 are replaced by
DTLSv1.2. Statements that "TLS 1.0 is the most widely deployed DTLSv1.2. Statements that "TLS 1.0 is the most widely deployed
version and will provide the broadest interoperability" are removed version and will provide the broadest interoperability" are removed
without replacement. without replacement.
[RFC8465] [RFC8422] [RFC8261] [RFC7568] [RFC7562] [RFC7525] [RFC7465] [RFC8422] [RFC8261] [RFC7568] [RFC7562] [RFC7525] [RFC7465] [RFC7030]
[RFC7030] [RFC6750] [RFC6749] [RFC6739] [RFC6084] [RFC6083] [RFC6367] [RFC6750] [RFC6749] [RFC6739] [RFC6084] [RFC6083] [RFC6367] [RFC6176]
[RFC6176] [RFC6042] [RFC6012] [RFC5878] [RFC5734] [RFC5469] [RFC5456] [RFC6042] [RFC6012] [RFC5878] [RFC5734] [RFC5456] [RFC5422] [RFC5415]
[RFC5422] [RFC5415] [RFC5364] [RFC5281] [RFC5263] [RFC5238] [RFC5216] [RFC5364] [RFC5281] [RFC5263] [RFC5238] [RFC5216] [RFC5158] [RFC5091]
[RFC5158] [RFC5091] [RFC5054] [RFC5049] [RFC5024] [RFC5023] [RFC5019] [RFC5054] [RFC5049] [RFC5024] [RFC5023] [RFC5019] [RFC5018] [RFC4992]
[RFC5018] [RFC4992] [RFC4976] [RFC4975] [RFC4964] [RFC4851] [RFC4823] [RFC4976] [RFC4975] [RFC4964] [RFC4851] [RFC4823] [RFC4791] [RFC4785]
[RFC4791] [RFC4785] [RFC4732] [RFC4712] [RFC4681] [RFC4680] [RFC4642] [RFC4732] [RFC4712] [RFC4681] [RFC4680] [RFC4642] [RFC4616] [RFC4582]
[RFC4616] [RFC4582] [RFC4540] [RFC4531] [RFC4513] [RFC4497] [RFC4279] [RFC4540] [RFC4531] [RFC4513] [RFC4497] [RFC4279] [RFC4261] [RFC4235]
[RFC4261] [RFC4235] [RFC4217] [RFC4168] [RFC4162] [RFC4111] [RFC4097] [RFC4217] [RFC4168] [RFC4162] [RFC4111] [RFC4097] [RFC3983] [RFC3943]
[RFC3983] [RFC3943] [RFC3903] [RFC3887] [RFC3871] [RFC3856] [RFC3767] [RFC3903] [RFC3887] [RFC3871] [RFC3856] [RFC3767] [RFC3749] [RFC3656]
[RFC3749] [RFC3656] [RFC3568] [RFC3552] [RFC3501] [RFC3470] [RFC3436] [RFC3568] [RFC3552] [RFC3501] [RFC3470] [RFC3436] [RFC3329] [RFC3261]
[RFC3329] [RFC3261]
The status of [RFC7562], [RFC6042], [RFC5456], [RFC5024], [RFC4540], The status of [RFC7562], [RFC6042], [RFC5456], [RFC5024], [RFC4540],
and [RFC3656] will be updated with permission of the Independent and [RFC3656] will be updated with permission of the Independent
Stream Editor. Stream Editor.
In addition these RFCs normatively refer to TLSv1.0 or TLSv1.1 and In addition these RFCs normatively refer to TLSv1.0 or TLSv1.1 and
have already been obsoleted; they are still listed here and marked as have already been obsoleted; they are still listed here and marked as
updated by this document in order to reiterate that any usage of the updated by this document in order to reiterate that any usage of the
obsolete protocol should still use modern TLS: [RFC7507] [RFC5101] obsolete protocol should still use modern TLS: [RFC5101] [RFC5081]
[RFC5081] [RFC5077] [RFC4934] [RFC4572] [RFC4507] [RFC4492] [RFC4366] [RFC5077] [RFC4934] [RFC4572] [RFC4507] [RFC4492] [RFC4366] [RFC4347]
[RFC4347] [RFC4244] [RFC4132] [RFC3920] [RFC3734] [RFC3588] [RFC3546] [RFC4244] [RFC4132] [RFC3920] [RFC3734] [RFC3588] [RFC3546] [RFC3489]
[RFC3489] [RFC3316] [RFC3316]
Note that [RFC4642] has already been updated by [RFC8143], which Note that [RFC4642] has already been updated by [RFC8143], which
makes an overlapping, but not quite identical, update as this makes an overlapping, but not quite identical, update as this
document. document.
[RFC6614] has a requirement for TLSv1.1 or later, although only makes [RFC6614] has a requirement for TLSv1.1 or later, although only makes
an informative reference to [RFC4346]. This requirement is updated an informative reference to [RFC4346]. This requirement is updated
to be for TLSv1.2 or later. to be for TLSv1.2 or later.
[RFC6460], [RFC4744], and [RFC4743] are already Historic; they are [RFC6460], [RFC4744], and [RFC4743] are already Historic; they are
still listed here and marked as updated by this document in order to still listed here and marked as updated by this document in order to
reiterate that any usage of the obsolete protocol should still use reiterate that any usage of the obsolete protocol should still use
modern TLS. modern TLS.
This document updates DTLS [RFC6347]. [RFC6347] had allowed for This document updates DTLS [RFC6347]. [RFC6347] had allowed for
negotiating the use of DTLSv1.0, which is now forbidden. negotiating the use of DTLSv1.0, which is now forbidden.
The DES and IDEA cipher suites specified in [RFC5469] were
specifically removed from TLSv1.2 by [RFC5246]; since the only
versions of TLS for which their usage is defined are now Historic,
RFC 5469 (will be|has been) moved to Historic as well.
The version-fallback Signaling Cipher Suite Value specified in
[RFC7507] waas defined to detect when a given client and server
negotiate a lower version of (D)TLS than their highest shared
version. TLSv1.3 ([RFC8446]) incorporates a different mechanism that
achieves this purpose, via sentinel values in the ServerHello.Random
field. With (D)TLS versions prior to 1.2 fully deprecated, the only
way for (D)TLS implementations to negotiate a lower version than
their highest shared version would be to negotiate (D)TLSv1.2 while
supporting (D)TLSv1.3; supporting (D)TLSv1.3 implies support for the
ServerHello.Random mechanism. Accordingly, the functionality from
[RFC7507] has been superseded, and this document marks it as
Obsolete.
1.2. Terminology 1.2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
2. Support for Deprecation 2. Support for Deprecation
skipping to change at page 8, line 33 skipping to change at page 8, line 51
This document deprecates two older TLS protocol versions and one This document deprecates two older TLS protocol versions and one
older DTLS protocol version for security reasons already described. older DTLS protocol version for security reasons already described.
The attack surface is reduced when there are a smaller number of The attack surface is reduced when there are a smaller number of
supported protocols and fallback options are removed. supported protocols and fallback options are removed.
8. Acknowledgements 8. Acknowledgements
Thanks to those that provided usage data, reviewed and/or improved Thanks to those that provided usage data, reviewed and/or improved
this document, including: David Benjamin, David Black, Alan DeKok, this document, including: David Benjamin, David Black, Alan DeKok,
Viktor Dukhovni, Julien Elie, Gary Gapinski, Alessandro Ghedini, Viktor Dukhovni, Julien Elie, Gary Gapinski, Alessandro Ghedini,
Jeremy Harris, James Hodgkinson, Russ Housley, Hubert Kario, Ben Jeremy Harris, James Hodgkinson, Russ Housley, Hubert Kario, Benjamin
Kaduk, John Mattsson, Eric Mill, Yoav Nir, Andrei Popov, Eric Kaduk, John Mattsson, Eric Mill, Yoav Nir, Andrei Popov, Eric
Rescorla, Yaron Sheffer, Robert Sparks, Martin Thomson, Loganaden Rescorla, Yaron Sheffer, Robert Sparks, Martin Thomson, Loganaden
Velvindron, and Jakub Wilk. Velvindron, and Jakub Wilk.
[[Note to RFC editor: At least Julien Elie's name above should have [[Note to RFC editor: At least Julien Elie's name above should have
an accent on the first letter of the surname. Please fix that and an accent on the first letter of the surname. Please fix that and
any others needing a similar fix if you can, I'm not sure the tooling any others needing a similar fix if you can, I'm not sure the tooling
I have now allows that.]] I have now allows that.]]
9. IANA Considerations 9. IANA Considerations
skipping to change at page 17, line 20 skipping to change at page 17, line 40
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8422] Nir, Y., Josefsson, S., and M. Pegourie-Gonnard, "Elliptic [RFC8422] Nir, Y., Josefsson, S., and M. Pegourie-Gonnard, "Elliptic
Curve Cryptography (ECC) Cipher Suites for Transport Layer Curve Cryptography (ECC) Cipher Suites for Transport Layer
Security (TLS) Versions 1.2 and Earlier", RFC 8422, Security (TLS) Versions 1.2 and Earlier", RFC 8422,
DOI 10.17487/RFC8422, August 2018, DOI 10.17487/RFC8422, August 2018,
<https://www.rfc-editor.org/info/rfc8422>. <https://www.rfc-editor.org/info/rfc8422>.
[RFC8465] Atarius, R., Ed., "Using the Mobile Equipment Identity
(MEID) URN as an Instance ID", RFC 8465,
DOI 10.17487/RFC8465, September 2018,
<https://www.rfc-editor.org/info/rfc8465>.
10.2. Informative References 10.2. Informative References
[Bhargavan2016] [Bhargavan2016]
Bhargavan, K. and G. Leuren, "Transcript Collision Bhargavan, K. and G. Leuren, "Transcript Collision
Attacks: Breaking Authentication in TLS, IKE, and SSH Attacks: Breaking Authentication in TLS, IKE, and SSH
https://www.mitls.org/downloads/transcript- https://www.mitls.org/downloads/transcript-
collisions.pdf", 2016. collisions.pdf", 2016.
[NIST800-52r2] [NIST800-52r2]
National Institute of Standards and Technology, "NIST National Institute of Standards and Technology, "NIST
 End of changes. 13 change blocks. 
47 lines changed or deleted 60 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/