IETFで、TLS1.0とTLS1.1を正式に非推奨にする「RFC 8996 Deprecating TLS 1.0 and TLS 1.1」が公開されました。
新しいプロトコルへの移行期間は十分であるとし、TLS1.0, TLS1.1, DTLS1.0は廃止となり、TLS 1.2, TLS1.3, DTLS 1.2のみが使用できます。表現としても、MUST NOTで利用を禁止しています。
2015年に公開された、TLS利用時の推奨事項を定めたRFC7525がありますが、今回の禁止内容も含めて改定作業が開始されています。詳細については以前書いたとおり
asnokaze.hatenablog.com
更新されるRFC
TLS1.2以上では無用な、下記のRFCがobsleteされます
- RFC 5469: DES and IDEA Cipher Suites for Transport Layer Security
- RFC 7507: TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks
下記のRFCの内容が更新されます
- RFC 3261: SIP: Session Initiation Protocol
- RFC 3329: Security Mechanism Agreement for the Session Initiation Protocol (SIP)
- RFC 3436: Transport Layer Security over Stream Control Transmission Protocol
- RFC 3470: Guidelines for the Use of Extensible Markup Language (XML) within IETF Protocols
- RFC 3501: INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1
- RFC 3552: Guidelines for Writing RFC Text on Security Considerations
- RFC 3568: Known Content Network (CN) Request-Routing Mechanisms
- RFC 3656: The Mailbox Update (MUPDATE) Distributed Mailbox Database Protocol
- RFC 3749: Transport Layer Security Protocol Compression Methods
- RFC 3767: Securely Available Credentials Protocol
- RFC 3856: A Presence Event Package for the Session Initiation Protocol (SIP)
- RFC 3871: Operational Security Requirements for Large Internet Service Provider (ISP) IP Network Infrastructure
- RFC 3887: Message Tracking Query Protocol
- RFC 3903: Session Initiation Protocol (SIP) Extension for Event State Publication
- RFC 3943: Transport Layer Security (TLS) Protocol Compression Using Lempel-Ziv-Stac (LZS)
- RFC 3983: Using the Internet Registry Information Service (IRIS) over the Blocks Extensible Exchange Protocol (BEEP)
- RFC 4097: Middlebox Communications (MIDCOM) Protocol Evaluation
- RFC 4111: Security Framework for Provider-Provisioned Virtual Private Networks (PPVPNs)
- RFC 4162: Addition of SEED Cipher Suites to Transport Layer Security (TLS)
- RFC 4168: The Stream Control Transmission Protocol (SCTP) as a Transport for the Session Initiation Protocol (SIP)
- RFC 4217: Securing FTP with TLS
- RFC 4235: An INVITE-Initiated Dialog Event Package for the Session Initiation Protocol (SIP)
- RFC 4261: Common Open Policy Service (COPS) Over Transport Layer Security (TLS)
- RFC 4279: Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)
- RFC 4497: Interworking between the Session Initiation Protocol (SIP) and QSIG
- RFC 4513: Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms
- RFC 4531: Lightweight Directory Access Protocol (LDAP) Turn Operation
- RFC 4540: NEC's Simple Middlebox Configuration (SIMCO) Protocol Version 3.0
- RFC 4582: The Binary Floor Control Protocol (BFCP)
- RFC 4616: The PLAIN Simple Authentication and Security Layer (SASL) Mechanism
- RFC 4642: Using Transport Layer Security (TLS) with Network News Transfer Protocol (NNTP)
- RFC 4680: TLS Handshake Message for Supplemental Data
- RFC 4681: TLS User Mapping Extension
- RFC 4712: Transport Mappings for Real-time Application Quality-of-Service Monitoring (RAQMON) Protocol Data Unit (PDU)
- RFC 4732: Internet Denial-of-Service Considerations
- RFC 4743: Using NETCONF over the Simple Object Access Protocol (SOAP)
- RFC 4744: Using the NETCONF Protocol over the Blocks Extensible Exchange Protocol (BEEP)
- RFC 4785: Pre-Shared Key (PSK) Ciphersuites with NULL Encryption for Transport Layer Security (TLS)
- RFC 4791: Calendaring Extensions to WebDAV (CalDAV)
- RFC 4823: FTP Transport for Secure Peer-to-Peer Business Data Interchange over the Internet
- RFC 4851: The Flexible Authentication via Secure Tunneling Extensible Authentication Protocol Method (EAP-FAST)
- RFC 4964: The P-Answer-State Header Extension to the Session Initiation Protocol for the Open Mobile Alliance Push to Talk over Cellular
- RFC 4975: The Message Session Relay Protocol (MSRP)
- RFC 4976: Relay Extensions for the Message Sessions Relay Protocol (MSRP)
- RFC 4992: XML Pipelining with Chunks for the Internet Registry Information Service
- RFC 5018: Connection Establishment in the Binary Floor Control Protocol (BFCP)
- RFC 5019: The Lightweight Online Certificate Status Protocol (OCSP) Profile for High-Volume Environments
- RFC 5023: The Atom Publishing Protocol
- RFC 5024: ODETTE File Transfer Protocol 2.0
- RFC 5049: Applying Signaling Compression (SigComp) to the Session Initiation Protocol (SIP)
- RFC 5054: Using the Secure Remote Password (SRP) Protocol for TLS Authentication
- RFC 5091: Identity-Based Cryptography Standard (IBCS) #1: Supersingular Curve Implementations of the BF and BB1 Cryptosystems
- RFC 5158: 6to4 Reverse DNS Delegation Specification
- RFC 5216: The EAP-TLS Authentication Protocol
- RFC 5238: Datagram Transport Layer Security (DTLS) over the Datagram Congestion Control Protocol (DCCP)
- RFC 5263: Session Initiation Protocol (SIP) Extension for Partial Notification of Presence Information
- RFC 5281: Extensible Authentication Protocol Tunneled Transport Layer Security Authenticated Protocol Version 0 (EAP-TTLSv0)
- RFC 5364: Extensible Markup Language (XML) Format Extension for Representing Copy Control Attributes in Resource Lists
- RFC 5415: Control And Provisioning of Wireless Access Points (CAPWAP) Protocol Specification
- RFC 5422: Dynamic Provisioning Using Flexible Authentication via Secure Tunneling Extensible Authentication Protocol (EAP-FAST)
- RFC 5456: IAX: Inter-Asterisk eXchange Version 2
- RFC 5734: Extensible Provisioning Protocol (EPP) Transport over TCP
- RFC 5878: Transport Layer Security (TLS) Authorization Extensions
- RFC 5953: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP)
- RFC 6012: Datagram Transport Layer Security (DTLS) Transport Mapping for Syslog
- RFC 6042: Transport Layer Security (TLS) Authorization Using KeyNote
- RFC 6083: Datagram Transport Layer Security (DTLS) for Stream Control Transmission Protocol (SCTP)
- RFC 6084: General Internet Signaling Transport (GIST) over Stream Control Transmission Protocol (SCTP) and Datagram Transport Layer Security (DTLS)
- RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0
- RFC 6347: Datagram Transport Layer Security Version 1.2
- RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP)
- RFC 6367: Addition of the Camellia Cipher Suites to Transport Layer Security (TLS)
- RFC 6460: Suite B Profile for Transport Layer Security (TLS)
- RFC 6614: Transport Layer Security (TLS) Encryption for RADIUS
- RFC 6739: Synchronizing Service Boundaries and <mapping> Elements Based on the Location-to-Service Translation (LoST) Protocol
- RFC 6749: The OAuth 2.0 Authorization Framework
- RFC 6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage
- RFC 7030: Enrollment over Secure Transport
- RFC 7465: Prohibiting RC4 Cipher Suites
- RFC 7525: Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
- RFC 7562: Transport Layer Security (TLS) Authorization Using Digital Transmission Content Protection (DTCP) Certificates
- RFC 7568: Deprecating Secure Sockets Layer Version 3.0
- RFC 8261: Datagram Transport Layer Security (DTLS) Encapsulation of SCTP Packets
- RFC 8422: Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) Versions 1.2 and Earlier