I believe the doc is fine as it is. Yours, Daniel On Thu, Apr 25, 2019 at 9:30 PM Viktor Dukhovni <ietf-d...@dukhovni.org> wrote:
> > On Apr 12, 2019, at 7:28 PM, Christopher Wood <c...@heapingbits.net> > wrote: > > > > This is the working group last call for the "Deprecating TLSv1.0 and > TLSv1.1” draft available at: > > > > > https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/ > > > > Please review the document and send your comments to the list by April > 26, 2019. > > My concern is whether the time is yet nigh for TLS 1.0 to be disabled > in opportunistic TLS in SMTP, or whether TLS 1.0 remains sufficiently > common to cause deprecation to do more harm than good via unnecessary > downgrades to cleartext. > > I don't have survey numbers for SMTP TLS protocol versions across MTAs > generally to shed light on this, perhaps someone does. What I do have > is numbers for those MTAs (not a representative sample) that have DANE > TLSA records (so presumably a greater focus on security). > > The observed version frequencies are approximately: > > TLS 1.0: 1% > TLS 1.1: 0% > TLS 1.2: 87% > TLS 1.3: 12% > > essentially regardless of whether I deduplicate by name, IP or name and IP. > The respective sample sizes are 5435, 6938 and 7959. > > So if a DANE-enabled sender were to disable TLS 1.0 today, approximately > 1% of the destination MX hosts would be broken and need remediation. These > handle just of 189 mostly small SOHO domains out of the ~1.1 million total > DANE SMTP domains, but four handle enough email to show up on the Gmail > SMTP transparency report: > > tu-darmstadt.de > t-2.net > t-2.com > t-2.si > > So on the whole, the draft should proceed, but some caution may be > appropriate > outside the browser space, before operators start switching off TLS 1.0 > support. > > I don't see an operational considerations section. Nor much discussion of > "less mainstream" (than Web browser) TLS application protocols. Would a > few > words of caution be appropriate, or is it expected that by the time the RFC > starts to change operator behaviour the "market share" of TLS 1.0 will be > substantially lower than I see today even with SMTP, XMPP, NTTP and the > like. > > [ I would speculate that TLS 1.0's share is noticeably higher among MTAs > generally than among the bleeding-edge MTAs that have published DANE TLSA > RRs. ] > > -- > Viktor. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls