| draft-ietf-uta-tls-for-email-04.txt | draft-ietf-uta-tls-for-email-05.txt | |||
|---|---|---|---|---|
| Network Working Group L. Velvindron | Network Working Group L. Velvindron | |||
| Internet-Draft cyberstorm.mu | Internet-Draft cyberstorm.mu | |||
| Updates: 8314 (if approved) S. Farrell | Updates: 8314 (if approved) S. Farrell | |||
| Intended status: Standards Track Trinity College Dublin | Intended status: Standards Track Trinity College Dublin | |||
| Expires: July 26, 2020 January 23, 2020 | Expires: September 25, 2020 March 24, 2020 | |||
| Deprecation of use of TLS 1.1 for Email Submission and Access | Deprecation of use of TLS 1.1 for Email Submission and Access | |||
| draft-ietf-uta-tls-for-email-04 | draft-ietf-uta-tls-for-email-05 | |||
| Abstract | Abstract | |||
| This specification updates current recommendation for the use of | This specification updates current recommendation for the use of | |||
| Transport Layer Security (TLS) protocol to provide confidentiality of | Transport Layer Security (TLS) protocol to provide confidentiality of | |||
| email between a Mail User Agent (MUA) and a Mail Submission Server or | email between a Mail User Agent (MUA) and a Mail Submission Server or | |||
| Mail Access Server. This document updates RFC8314. | Mail Access Server. This document updates RFC8314. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 34 ¶ | skipping to change at page 1, line 34 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on July 26, 2020. | This Internet-Draft will expire on September 25, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 13 ¶ | skipping to change at page 2, line 13 ¶ | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Conventions Used in This Document . . . . . . . . . . . . . . 2 | 2. Conventions Used in This Document . . . . . . . . . . . . . . 2 | |||
| 3. Updates to RFC8314 . . . . . . . . . . . . . . . . . . . . . 2 | 3. Updates to RFC8314 . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 4 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 4 | |||
| 6. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 4 | 6. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 7.1. Informative References . . . . . . . . . . . . . . . . . 4 | 7.1. Informative References . . . . . . . . . . . . . . . . . 5 | |||
| 7.2. Normative References . . . . . . . . . . . . . . . . . . 5 | 7.2. Normative References . . . . . . . . . . . . . . . . . . 5 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 1. Introduction | 1. Introduction | |||
| [RFC8314] defines the minimum recommended version for TLS as version | [RFC8314] defines the minimum recommended version for TLS as version | |||
| 1.1. Due to the deprecation of TLS 1.1 in | 1.1. Due to the deprecation of TLS 1.1 in | |||
| [I-D.ietf-tls-oldversions-deprecate], this recommendation is no | [I-D.ietf-tls-oldversions-deprecate], this recommendation is no | |||
| longer valid. Therefore this document updates [RFC8314] so that the | longer valid. Therefore this document updates [RFC8314] so that the | |||
| minimum version for TLS is TLS 1.2. | minimum version for TLS is TLS 1.2. | |||
| skipping to change at page 2, line 46 ¶ | skipping to change at page 2, line 46 ¶ | |||
| OLD: | OLD: | |||
| "4.1. Deprecation of Services Using Cleartext and TLS Versions Less | "4.1. Deprecation of Services Using Cleartext and TLS Versions Less | |||
| Than 1.1" | Than 1.1" | |||
| NEW: | NEW: | |||
| "4.1. Deprecation of Services Using Cleartext and TLS Versions Less | "4.1. Deprecation of Services Using Cleartext and TLS Versions Less | |||
| Than 1.2" | Than 1.2" | |||
| OLD | OLD: | |||
| "As soon as practicable, MSPs currently supporting Secure Sockets | "As soon as practicable, MSPs currently supporting Secure Sockets | |||
| Layer (SSL) 2.x, SSL 3.0, or TLS 1.0 SHOULD transition their users to | Layer (SSL) 2.x, SSL 3.0, or TLS 1.0 SHOULD transition their users to | |||
| TLS 1.1 or later and discontinue support for those earlier versions | TLS 1.1 or later and discontinue support for those earlier versions | |||
| of SSL and TLS." | of SSL and TLS." | |||
| NEW: | NEW: | |||
| "As soon as practicable, MSPs currently supporting Secure Sockets | "As soon as practicable, MSPs currently supporting Secure Sockets | |||
| Layer (SSL) 2.x, SSL 3.0, TLS 1.0 or TLS 1.1 SHOULD transition their | Layer (SSL) 2.x, SSL 3.0, TLS 1.0 or TLS 1.1 SHOULD transition their | |||
| users to TLS 1.2 or later and discontinue support for those earlier | users to TLS 1.2 or later and discontinue support for those earlier | |||
| versions of SSL and TLS." | versions of SSL and TLS." | |||
| In Section 4.1, the text should be revised from: | ||||
| OLD: | OLD: | |||
| In Section 4.1, the text should be revised from: "It is RECOMMENDED | One way is for the server to refuse a ClientHello message from any | |||
| that new users be required to use TLS version 1.1 or greater from the | client sending a ClientHello.version field corresponding to any | |||
| start. However, an MSP may find it necessary to make exceptions to | version of SSL or TLS 1.0. | |||
| accommodate some legacy systems that support only earlier versions of | ||||
| TLS or only cleartext." | NEW: | |||
| One way is for the server to refuse a ClientHello message from any | ||||
| client sending a ClientHello.version field corresponding to any | ||||
| version of SSL or TLS earlier than TLS1.2. | ||||
| OLD: | ||||
| "It is RECOMMENDED that new users be required to use TLS version 1.1 | ||||
| or greater from the start. However, an MSP may find it necessary to | ||||
| make exceptions to accommodate some legacy systems that support only | ||||
| earlier versions of TLS or only cleartext." | ||||
| NEW: | NEW: | |||
| "It is RECOMMENDED that new users be required to use TLS version 1.2 | "It is RECOMMENDED that new users be required to use TLS version 1.2 | |||
| or greater from the start. However, an MSP may find it necessary to | or greater from the start. However, an MSP may find it necessary to | |||
| make exceptions to accommodate some legacy systems that support only | make exceptions to accommodate some legacy systems that support only | |||
| earlier versions of TLS or only cleartext." | earlier versions of TLS or only cleartext." | |||
| OLD: | OLD: | |||
| " If, however, an MUA provides such an indication, it MUST NOT | " If, however, an MUA provides such an indication, it MUST NOT | |||
| indicate confidentiality for any connection that does not at least | indicate confidentiality for any connection that does not at least | |||
| use TLS 1.1 with certificate verification and also meet the minimum | use TLS 1.1 with certificate verification and also meet the minimum | |||
| confidentiality requirements associated with that account. " | confidentiality requirements associated with that account. " | |||
| NEW: | NEW: | |||
| " If, however, an MUA provides such an indication, it MUST NOT | " If, however, an MUA provides such an indication, it MUST NOT | |||
| indicate confidentiality for any connection that does not at least | indicate confidentiality for any connection that does not at least | |||
| use TLS 1.2 with certificate verification and also meet the minimum | use TLS 1.2 with certificate verification and also meet the minimum | |||
| confidentiality requirements associated with that account. " | confidentiality requirements associated with that account. " | |||
| OLD | OLD | |||
| " MUAs MUST implement TLS 1.2 [RFC5246] or later. Earlier TLS and | " MUAs MUST implement TLS 1.2 [RFC5246] or later. Earlier TLS and | |||
| SSL versions MAY also be supported, so long as the MUA requires at | SSL versions MAY also be supported, so long as the MUA requires at | |||
| least TLS 1.1 [RFC4346] when accessing accounts that are configured | least TLS 1.1 [RFC4346] when accessing accounts that are configured | |||
| to impose minimum confidentiality requirements. " | to impose minimum confidentiality requirements. " | |||
| NEW: | NEW: | |||
| " MUAs MUST implement TLS 1.2 [RFC5246] or later e.g TLS 1.3 | " MUAs MUST implement TLS 1.2 [RFC5246] or later e.g TLS 1.3 | |||
| [RFC8446]. Earlier TLS and SSL versions MAY also be supported, so | [RFC8446]. Earlier TLS and SSL versions MAY also be supported, so | |||
| long as the MUA requires at least TLS 1.2 [RFC5246] when accessing | long as the MUA requires at least TLS 1.2 [RFC5246] when accessing | |||
| accounts that are configured to impose minimum confidentiality | accounts that are configured to impose minimum confidentiality | |||
| requirements. " | requirements. " | |||
| OLD: | OLD: | |||
| " The default minimum expected level of confidentiality for all new | " The default minimum expected level of confidentiality for all new | |||
| accounts MUST require successful validation of the server's | accounts MUST require successful validation of the server's | |||
| certificate and SHOULD require negotiation of TLS version 1.1 or | certificate and SHOULD require negotiation of TLS version 1.1 or | |||
| greater. (Future revisions to this specification may raise these | greater. (Future revisions to this specification may raise these | |||
| requirements or impose additional requirements to address newly | requirements or impose additional requirements to address newly | |||
| discovered weaknesses in protocols or cryptographic algorithms. " | discovered weaknesses in protocols or cryptographic algorithms. " | |||
| NEW: | NEW: | |||
| " The default minimum expected level of confidentiality for all new | " The default minimum expected level of confidentiality for all new | |||
| accounts MUST require successful validation of the server's | accounts MUST require successful validation of the server's | |||
| certificate and SHOULD require negotiation of TLS version 1.2 or | certificate and SHOULD require negotiation of TLS version 1.2 or | |||
| greater. (Future revisions to this specification may raise these | greater. (Future revisions to this specification may raise these | |||
| requirements or impose additional requirements to address newly | requirements or impose additional requirements to address newly | |||
| discovered weaknesses in protocols or cryptographic algorithms. " | discovered weaknesses in protocols or cryptographic algorithms. " | |||
| 4. IANA Considerations | 4. IANA Considerations | |||
| None of the proposed measures have an impact on IANA. | None of the proposed measures have an impact on IANA. | |||
| 5. Security Considerations | 5. Security Considerations | |||
| The purpose of this document is to document updated recommendations | The purpose of this document is to document updated recommendations | |||
| for using TLS with Email services. Those recommendations are based | for using TLS with Email services. Those recommendations are based | |||
| on [I-D.ietf-tls-oldversions-deprecate]. | on [I-D.ietf-tls-oldversions-deprecate]. | |||
| End of changes. 13 change blocks. | ||||
| 18 lines changed or deleted | 30 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||