idnits 2.17.1 

draft-ietf-uta-tls-for-email-05.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (March 24, 2020) is 1494 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  -- Obsolete informational reference (is this intentional?): RFC 4346
     (Obsoleted by RFC 5246)

  == Outdated reference: A later version (-12) exists of
     draft-ietf-tls-oldversions-deprecate-06

  ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446)


     Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 2 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                      L. Velvindron
3	Internet-Draft                                             cyberstorm.mu
4	Updates: 8314 (if approved)                                   S. Farrell
5	Intended status: Standards Track                  Trinity College Dublin
6	Expires: September 25, 2020                               March 24, 2020

8	     Deprecation of use of TLS 1.1 for Email Submission and Access
9	                    draft-ietf-uta-tls-for-email-05

11	Abstract

13	   This specification updates current recommendation for the use of
14	   Transport Layer Security (TLS) protocol to provide confidentiality of
15	   email between a Mail User Agent (MUA) and a Mail Submission Server or
16	   Mail Access Server.  This document updates RFC8314.

18	Status of This Memo

20	   This Internet-Draft is submitted in full conformance with the
21	   provisions of BCP 78 and BCP 79.

23	   Internet-Drafts are working documents of the Internet Engineering
24	   Task Force (IETF).  Note that other groups may also distribute
25	   working documents as Internet-Drafts.  The list of current Internet-
26	   Drafts is at https://datatracker.ietf.org/drafts/current/.

28	   Internet-Drafts are draft documents valid for a maximum of six months
29	   and may be updated, replaced, or obsoleted by other documents at any
30	   time.  It is inappropriate to use Internet-Drafts as reference
31	   material or to cite them other than as "work in progress."

33	   This Internet-Draft will expire on September 25, 2020.

35	Copyright Notice

37	   Copyright (c) 2020 IETF Trust and the persons identified as the
38	   document authors.  All rights reserved.

40	   This document is subject to BCP 78 and the IETF Trust's Legal
41	   Provisions Relating to IETF Documents
42	   (https://trustee.ietf.org/license-info) in effect on the date of
43	   publication of this document.  Please review these documents
44	   carefully, as they describe your rights and restrictions with respect
45	   to this document.  Code Components extracted from this document must
46	   include Simplified BSD License text as described in Section 4.e of
47	   the Trust Legal Provisions and are provided without warranty as
48	   described in the Simplified BSD License.

50	Table of Contents

52	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
53	   2.  Conventions Used in This Document . . . . . . . . . . . . . .   2
54	   3.  Updates to RFC8314  . . . . . . . . . . . . . . . . . . . . .   2
55	   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   4
56	   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   4
57	   6.  Acknowledgement . . . . . . . . . . . . . . . . . . . . . . .   4
58	   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   5
59	     7.1.  Informative References  . . . . . . . . . . . . . . . . .   5
60	     7.2.  Normative References  . . . . . . . . . . . . . . . . . .   5
61	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   5

63	1.  Introduction

65	   [RFC8314] defines the minimum recommended version for TLS as version
66	   1.1.  Due to the deprecation of TLS 1.1 in
67	   [I-D.ietf-tls-oldversions-deprecate], this recommendation is no
68	   longer valid.  Therefore this document updates [RFC8314] so that the
69	   minimum version for TLS is TLS 1.2.

71	2.  Conventions Used in This Document

73	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
74	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
75	   document are to be interpreted as described in [RFC2119] when they
76	   appear in ALL CAPS.  These words may also appear in this document in
77	   lower case as plain English words, absent their normative meanings.

79	3.  Updates to RFC8314

81	   OLD:

83	   "4.1.  Deprecation of Services Using Cleartext and TLS Versions Less
84	   Than 1.1"

86	   NEW:

88	   "4.1.  Deprecation of Services Using Cleartext and TLS Versions Less
89	   Than 1.2"

91	   OLD:

93	   "As soon as practicable, MSPs currently supporting Secure Sockets
94	   Layer (SSL) 2.x, SSL 3.0, or TLS 1.0 SHOULD transition their users to
95	   TLS 1.1 or later and discontinue support for those earlier versions
96	   of SSL and TLS."
97	   NEW:

99	   "As soon as practicable, MSPs currently supporting Secure Sockets
100	   Layer (SSL) 2.x, SSL 3.0, TLS 1.0 or TLS 1.1 SHOULD transition their
101	   users to TLS 1.2 or later and discontinue support for those earlier
102	   versions of SSL and TLS."

104	   In Section 4.1, the text should be revised from:

106	   OLD:

108	   One way is for the server to refuse a ClientHello message from any
109	   client sending a ClientHello.version field corresponding to any
110	   version of SSL or TLS 1.0.

112	   NEW:

114	   One way is for the server to refuse a ClientHello message from any
115	   client sending a ClientHello.version field corresponding to any
116	   version of SSL or TLS earlier than TLS1.2.

118	   OLD:

120	   "It is RECOMMENDED that new users be required to use TLS version 1.1
121	   or greater from the start.  However, an MSP may find it necessary to
122	   make exceptions to accommodate some legacy systems that support only
123	   earlier versions of TLS or only cleartext."

125	   NEW:

127	   "It is RECOMMENDED that new users be required to use TLS version 1.2
128	   or greater from the start.  However, an MSP may find it necessary to
129	   make exceptions to accommodate some legacy systems that support only
130	   earlier versions of TLS or only cleartext."

132	   OLD:

134	   " If, however, an MUA provides such an indication, it MUST NOT
135	   indicate confidentiality for any connection that does not at least
136	   use TLS 1.1 with certificate verification and also meet the minimum
137	   confidentiality requirements associated with that account.  "

139	   NEW:

141	   " If, however, an MUA provides such an indication, it MUST NOT
142	   indicate confidentiality for any connection that does not at least
143	   use TLS 1.2 with certificate verification and also meet the minimum
144	   confidentiality requirements associated with that account.  "
145	   OLD

147	   " MUAs MUST implement TLS 1.2 [RFC5246] or later.  Earlier TLS and
148	   SSL versions MAY also be supported, so long as the MUA requires at
149	   least TLS 1.1 [RFC4346] when accessing accounts that are configured
150	   to impose minimum confidentiality requirements.  "

152	   NEW:

154	   " MUAs MUST implement TLS 1.2 [RFC5246] or later e.g TLS 1.3
155	   [RFC8446].  Earlier TLS and SSL versions MAY also be supported, so
156	   long as the MUA requires at least TLS 1.2 [RFC5246] when accessing
157	   accounts that are configured to impose minimum confidentiality
158	   requirements.  "

160	   OLD:

162	   " The default minimum expected level of confidentiality for all new
163	   accounts MUST require successful validation of the server's
164	   certificate and SHOULD require negotiation of TLS version 1.1 or
165	   greater.  (Future revisions to this specification may raise these
166	   requirements or impose additional requirements to address newly
167	   discovered weaknesses in protocols or cryptographic algorithms.  "

169	   NEW:

171	   " The default minimum expected level of confidentiality for all new
172	   accounts MUST require successful validation of the server's
173	   certificate and SHOULD require negotiation of TLS version 1.2 or
174	   greater.  (Future revisions to this specification may raise these
175	   requirements or impose additional requirements to address newly
176	   discovered weaknesses in protocols or cryptographic algorithms.  "

178	4.  IANA Considerations

180	   None of the proposed measures have an impact on IANA.

182	5.  Security Considerations

184	   The purpose of this document is to document updated recommendations
185	   for using TLS with Email services.  Those recommendations are based
186	   on [I-D.ietf-tls-oldversions-deprecate].

188	6.  Acknowledgement

190	   The authors would like to thank Vittorio Bertola and Viktor Dukhovni
191	   for their feedback.

193	7.  References

195	7.1.  Informative References

197	   [RFC4346]  Dierks, T. and E. Rescorla, "The Transport Layer Security
198	              (TLS) Protocol Version 1.1", RFC 4346,
199	              DOI 10.17487/RFC4346, April 2006,
200	              <https://www.rfc-editor.org/info/rfc4346>.

202	7.2.  Normative References

204	   [I-D.ietf-tls-oldversions-deprecate]
205	              Moriarty, K. and S. Farrell, "Deprecating TLSv1.0 and
206	              TLSv1.1", draft-ietf-tls-oldversions-deprecate-06 (work in
207	              progress), January 2020.

209	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
210	              Requirement Levels", BCP 14, RFC 2119,
211	              DOI 10.17487/RFC2119, March 1997,
212	              <https://www.rfc-editor.org/info/rfc2119>.

214	   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
215	              (TLS) Protocol Version 1.2", RFC 5246,
216	              DOI 10.17487/RFC5246, August 2008,
217	              <https://www.rfc-editor.org/info/rfc5246>.

219	   [RFC8314]  Moore, K. and C. Newman, "Cleartext Considered Obsolete:
220	              Use of Transport Layer Security (TLS) for Email Submission
221	              and Access", RFC 8314, DOI 10.17487/RFC8314, January 2018,
222	              <https://www.rfc-editor.org/info/rfc8314>.

224	   [RFC8446]  Rescorla, E., "The Transport Layer Security (TLS) Protocol
225	              Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
226	              <https://www.rfc-editor.org/info/rfc8446>.

228	Authors' Addresses

230	   Loganaden Velvindron
231	   cyberstorm.mu
232	   88 Avenue De Plevitz Roches Brunes
233	   Rose Hill  71259
234	   Mauritius

236	   Phone: +230 59762817
237	   Email: logan@cyberstorm.mu
238	   Stephen Farrell
239	   Trinity College Dublin
240	   Dublin  2
241	   Ireland

243	   Phone: +353-1-896-2354
244	   Email: stephen.farrell@cs.tcd.ie