Re: [auth48] AUTH48: RFC-to-be 9325 <draft-ietf-uta-rfc7525bis-11> for your review
Peter Saint-Andre <stpeter@stpeter.im> Sun, 20 November 2022 22:59 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: auth48archive@ietfa.amsl.com
Delivered-To: auth48archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F2D6C14CEE6; Sun, 20 Nov 2022 14:59:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=stpeter.im header.b=hiXDvIBV; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=no0v5Zay
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I4Zm8TNkjlRs; Sun, 20 Nov 2022 14:58:55 -0800 (PST)
Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F171C14F737; Sun, 20 Nov 2022 14:58:55 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id 8CFAA32000E5; Sun, 20 Nov 2022 17:58:53 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163]) by compute1.internal (MEProxy); Sun, 20 Nov 2022 17:58:54 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stpeter.im; h=cc :cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm2; t=1668985133; x= 1669071533; bh=efE4EKZNomSnlgs+ZWymn96VEalSfKmW/+LVWl1VSxc=; b=h iXDvIBVyq6ixXKbBc2lRvPYIgdowDnywKKH/qFwz9EjDLwxEdKlfWhLREJQdvZe9 T3yIMOEo7KFX6Qm20uX7M2eHoOquVP+aYimnkX4XAY/OlH1FuS8KV0LvAKnAr7Sx jlw5cOww11lcJJdh17snrLB2pMVOxG95ATK1IPjkKKv3AQe3YnpxZBXswbYk9j8W jTpfDEzAysbHaGTXOy7MrsI1Nil0Qn6sy/O3yMUi71f+GdNTv0qpWMmr3NYSd/hc 4nVfSMRJDs7ErUv7BU7/mAT0gqdDpDGZONXXLObmTdpoiw6MaNiMqQ6uA4wY269R Tva29gazLDHYOPiH3kjgg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1668985133; x= 1669071533; bh=efE4EKZNomSnlgs+ZWymn96VEalSfKmW/+LVWl1VSxc=; b=n o0v5ZaynwyQEiuiSAJBh+nSU0X5qDjCa+FLa9K9sw+/yeBg6JUfpcrcgYA2f2jWm IzlkNCSbKd00zL3RJEa9+BP7hI8OY/1A5ZmxNFgrQnMoGJQ49XDJ4cGwzJV//7sE Okzmkyyd+0fx6GoAr57UDBie7ZW8M205XWecE0L4+Gwb2kqVYHEUAYY2TzB5HM4J eKlMyp4EyffTKw6unCB2hhkLiq940Wk1cFaeDg5eIQUsuth4/9G2ZIq21Xl7gVI5 KvvQM+Y7WUoXnjyudyuCl0L/HYsHeHn/5xNgFtTxSCeKxCHyFljmnkKGWRwOUVF8 TsQfyrohE8AuKYrefDCzw==
X-ME-Sender: <xms:LLF6Yx17agaXx3TKrDrKQiZjAEJfQtO5qDdynmm11KEHhjNPmr2pjw> <xme:LLF6Y4GVpFIZu6FqKBKiIBO_Z75V3DnTKLqBnyb1jM5vz6ziFlT1DgCs-ZL1y2lPq eeQN2CNtzJYzTi6xg>
X-ME-Received: <xmr:LLF6Yx7msbaGC09CdKYxoVWweMyTP2S-EqNQlDntueaYRvvBE4YGWz01Ml3MEUty>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvgedrheehgddtudcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefkffggfgfvvehfhffujggtgfesthejredttdefjeenucfhrhhomheprfgvthgv rhcuufgrihhnthdqtehnughrvgcuoehsthhpvghtvghrsehsthhpvghtvghrrdhimheqne cuggftrfgrthhtvghrnhepveegjeegieeijedtvddvveefhfelheevleeuffffffegiedv ieetudfhledttdefnecuffhomhgrihhnpehhthhtphhovhgvrhhtlhhsrhgvrgguvghrsh grrhgvrhgvfhgvrhhrvgguthhorhhftgekgeejtdhfohhrghhuihgurghntggvrdhnvgif necuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepshhtph gvthgvrhesshhtphgvthgvrhdrihhm
X-ME-Proxy: <xmx:LLF6Y-1aCQtN_NTqJeJX3LybVwo2Iv93Vv3LxD_azgj7aMpFfknE3Q> <xmx:LLF6Y0FpbK97W0IkLWBOIh0PywXqA8TWXA3eAB1XPjMRZuXQ1c6SfQ> <xmx:LLF6Y__Si_7sCjlZvcZGwJ2qHc-VYStiuwpEKxQJnUr5A4W27diABA> <xmx:LbF6Y_2B0lXYTmmIglxb9SUC4c90kI9n9VyFzt3S_YNhyO1L7S3mDA>
Feedback-ID: i24394279:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sun, 20 Nov 2022 17:58:51 -0500 (EST)
Message-ID: <dfaebbee-4a5e-df98-07b0-198994126695@stpeter.im>
Date: Sun, 20 Nov 2022 15:58:50 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.4.2
Content-Language: en-US
To: Thomas Fossati <Thomas.Fossati@arm.com>, Yaron Sheffer <yaronf.ietf@gmail.com>, "rfc-editor@rfc-editor.org" <rfc-editor@rfc-editor.org>
Cc: "uta-ads@ietf.org" <uta-ads@ietf.org>, "uta-chairs@ietf.org" <uta-chairs@ietf.org>, "leifj@sunet.se" <leifj@sunet.se>, "francesca.palombini@ericsson.com" <francesca.palombini@ericsson.com>, "auth48archive@rfc-editor.org" <auth48archive@rfc-editor.org>
References: <20221118195334.3D06C55F7E@rfcpa.amsl.com> <DB9PR08MB65242DE7542344E28F46B2559C099@DB9PR08MB6524.eurprd08.prod.outlook.com> <a57597a6-e092-4c32-6ceb-4e26ae0cfca1@stpeter.im> <e437882f-58c8-b3bd-58f2-1fed3d4c7ad4@stpeter.im> <DB9PR08MB65242A0D40CD7B15C67A59F09C089@DB9PR08MB6524.eurprd08.prod.outlook.com> <CED132CB-7304-47AB-B925-D032FF260BAC@gmail.com> <DB9PR08MB6524B3C53D9AB6714E07A0DC9C0B9@DB9PR08MB6524.eurprd08.prod.outlook.com>
From: Peter Saint-Andre <stpeter@stpeter.im>
In-Reply-To: <DB9PR08MB6524B3C53D9AB6714E07A0DC9C0B9@DB9PR08MB6524.eurprd08.prod.outlook.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/auth48archive/BcVY6LYNDcc2-TQ0c9T3Y_yMFaQ>
Subject: Re: [auth48] AUTH48: RFC-to-be 9325 <draft-ietf-uta-rfc7525bis-11> for your review
X-BeenThere: auth48archive@rfc-editor.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Archiving AUTH48 exchanges between the RFC Production Center, the authors, and other related parties" <auth48archive.rfc-editor.org>
List-Unsubscribe: <https://mailman.rfc-editor.org/mailman/options/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/auth48archive/>
List-Post: <mailto:auth48archive@rfc-editor.org>
List-Help: <mailto:auth48archive-request@rfc-editor.org?subject=help>
List-Subscribe: <https://mailman.rfc-editor.org/mailman/listinfo/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Nov 2022 22:59:01 -0000
I concur with the changes proposed by Thomas and Yaron, with one exception below. I've also completed a full read and have a few small items as well... 1. Introduction OLD Naturally, future attacks are likely, and this document does not address them. NEW Naturally, future attacks are likely, and this document cannot address them. 3.1.1. SSL/TLS Protocol Versions CBC is not spelled out on first use (although it is spelled out in Section 4.2); it's actually used in the Introduction but only in the name of the AES-CBC cipher suite, so I propose that we spell it out here. OLD In addition, TLS 1.0 lacks a per- record Initialization Vector (IV) for CBC-based cipher suites and does not warn against common padding errors. NEW In addition, TLS 1.0 lacks a per- record Initialization Vector (IV) for cipher suites based on cipher block chaining (CBC) and does not warn against common padding errors. This is a very long sentence, which I suggest changing as follows: OLD In most application protocols that reuse TLS and DTLS, there is no immediate need to migrate solely to TLS 1.3 and proactively deprecate TLS 1.2, especially because the existence of large numbers of application clients dependent on TLS libraries or operating systems that do not yet support TLS 1.3 would introduce significant interoperability issues, thus harming security more than helping it. NEW In most application protocols that reuse TLS and DTLS, there is no immediate need to migrate solely to TLS 1.3. Indeed, because many application clients are dependent on TLS libraries or operating systems that do not yet support TLS 1.3, proactively deprecating TLS 1.2 would introduce significant interoperability issues, thus harming security more than helping it. There is an inconsistency between the following statements: New application protocols that employ TLS/DTLS for channel or session encryption MUST integrate with both TLS/DTLS versions 1.2 and 1.3; and new application protocols that reuse TLS MAY support both TLS 1.3 and TLS 1.2 in order to take advantage of underlying library or operating system support for both versions. I suggest changing MAY to MUST in the second statement. 3.1.3 Fallback to Lower Versions OLD We note that as a result of that NEW As a result, 3.2. Strict TLS OLD When a protocol supports only a dynamic upgrade, NEW When a protocol supports only a dynamic upgrade method, 3.3.1. Certificate Compression Question for my co-authors: should the title of this section be "Certificate Chains" instead of "Certificate Compression"? 3.4 TLS Session Resumption PSK is not spelled out on first use. I suggest: OLD For TLS 1.3, a more secure PSK-based mechanism is described in Section 4.6.1 of [RFC8446]. NEW For TLS 1.3, a more secure mechanism based on the use of a pre-shared key (PSK) is described in Section 4.6.1 of [RFC8446]. 3.10. Zero Round-Trip Time (0-RTT) Data in TLS 1.3 OLD Typically, this extends to both the TLS library as well as protocol layers above it. NEW Typically, this extends to the TLS library as well as protocol layers above it. OLD For use in HTTP over TLS, readers are referred to [RFC8470] for guidance. NEW For HTTP over TLS, refer to [RFC8470]. 4.1 General Guidelines OLD Consequently, they need to be phased out over time and replaced with more secure cipher suites. NEW Consequently, cipher suites using weak algorithms need to be phased out and replaced with more secure cipher suites. There's a bad line break here: Rationale: The NULL cipher suites do not encrypt traffic and so provide no confidentiality services. Any entity in the network with access to the connection can view the plaintext of contents being exchanged by the client and server. Nevertheless, this document does not discourage software from implementing NULL cipher suites, since they can be useful for testing and debugging. 4.2 Cipher Suites for TLS 1.2 OLD Typically, in order to prefer these suites, the order of suites needs to be explicitly configured in server software. NEW Typically, to prefer these suites, the order of suites needs to be explicitly configured in server software. OLD to avoid predictable or repeated nonces (that would allow revealing the long term signing key) NEW to avoid predictable or repeated nonces (which could reveal the long-term signing key) OLD While most fault attacks NEW While most fault injection attacks 4.2.1 Implementation Details Question for my co-authors regarding this sentence: "Other application protocols specify other cipher suites as mandatory to implement (MTI)." Do we mean that they "MAY specify" or do we intend to merely make a factual statement? 4.5 Public Key Length Question for my co-authors regarding this sentence: "The Logjam attack [Logjam] further demonstrates that 1024-bit Diffie-Hellman parameters should be avoided." Do we mean SHOULD? 5.1 Security Services OLD clients are user agents like web browsers or email software. NEW clients are user agents like web browsers or email clients. 7.1. Host Name Validation OLD In addition, that RFC contains a long list of example protocols NEW In addition, that RFC contains a long list of application protocols Should we spell out PKI on first use? 7.5. Certificate Revocation OLD * OCSP stapling as used in TLS 1.2 does not extend to intermediate certificates within a certificate chain. The Multiple Certificate Status extension [RFC6961] addresses this shortcoming, but it has seen little deployment and had been deprecated by [RFC8446]. As a result, we no longer recommend this extension for TLS 1.2. NEW * OCSP stapling as used in TLS 1.2 does not extend to intermediate certificates within a certificate chain. The Multiple Certificate Status extension [RFC6961] addresses this shortcoming, but it has seen little deployment and had been deprecated by [RFC8446]. As a result, although this extension was recommended for TLS 1.2 in [RFC7525], it is no longer recommended by this document. 8.2. Informative References Question for the RPC: I noticed that a few RFCs cited informationally in this document use descriptive names, not RFC numbers: [DANE-SMTP], [DANE-SRV], [DEP-SSLv3], and [HTTP-SEMA] (also [HTTP1.1] and [HTTP2]). Does the RPC have a preference here? It struck me as strange that just a few RFCs were not cited by number. Personally I would prefer changing these descriptive names to RFC numbers, but it's not a hill for me to die on. Finally, see below for one text tweak. On 11/20/22 9:08 AM, Thomas Fossati wrote: > OLD > > was published when the industry was in the midst of its transition to > TLS 1.2. > > NEW > > was published when the industry was amid its transition to TLS 1.2. > > --- To my ear, that doesn't sound quite right in English. I suggest either the OLD text or: was published when the industry was transitioning to TLS 1.2 That's it! Many thanks to our RPC colleagues for their work on this document. Peter
- Re: [auth48] [AD] AUTH48: RFC-to-be 9325 <draft-i… Karen Moore
- [auth48] AUTH48: RFC-to-be 9325 <draft-ietf-uta-r… rfc-editor
- Re: [auth48] AUTH48: RFC-to-be 9325 <draft-ietf-u… rfc-editor
- Re: [auth48] AUTH48: RFC-to-be 9325 <draft-ietf-u… Thomas Fossati
- Re: [auth48] AUTH48: RFC-to-be 9325 <draft-ietf-u… Thomas Fossati
- Re: [auth48] AUTH48: RFC-to-be 9325 <draft-ietf-u… Peter Saint-Andre
- Re: [auth48] AUTH48: RFC-to-be 9325 <draft-ietf-u… Yaron Sheffer
- Re: [auth48] AUTH48: RFC-to-be 9325 <draft-ietf-u… Peter Saint-Andre
- Re: [auth48] AUTH48: RFC-to-be 9325 <draft-ietf-u… Thomas Fossati
- Re: [auth48] AUTH48: RFC-to-be 9325 <draft-ietf-u… Yaron Sheffer
- Re: [auth48] AUTH48: RFC-to-be 9325 <draft-ietf-u… Thomas Fossati
- Re: [auth48] AUTH48: RFC-to-be 9325 <draft-ietf-u… Peter Saint-Andre
- Re: [auth48] AUTH48: RFC-to-be 9325 <draft-ietf-u… Yaron Sheffer
- Re: [auth48] AUTH48: RFC-to-be 9325 <draft-ietf-u… Thomas Fossati
- Re: [auth48] AUTH48: RFC-to-be 9325 <draft-ietf-u… Peter Saint-Andre
- [auth48] [AD] Re: AUTH48: RFC-to-be 9325 <draft-i… Karen Moore
- Re: [auth48] [AD] Re: AUTH48: RFC-to-be 9325 <dra… Peter Saint-Andre
- Re: [auth48] [AD] Re: AUTH48: RFC-to-be 9325 <dra… Peter Saint-Andre
- Re: [auth48] [AD] Re: AUTH48: RFC-to-be 9325 <dra… Thomas Fossati
- Re: [auth48] [AD] AUTH48: RFC-to-be 9325 <draft-i… Yaron Sheffer
- Re: [auth48] [AD] AUTH48: RFC-to-be 9325 <draft-i… Peter Saint-Andre
- Re: [auth48] [AD] AUTH48: RFC-to-be 9325 <draft-i… Karen Moore
- Re: [auth48] [AD] AUTH48: RFC-to-be 9325 <draft-i… Thomas Fossati
- Re: [auth48] [AD] AUTH48: RFC-to-be 9325 <draft-i… Karen Moore
- Re: [auth48] [AD] Re: AUTH48: RFC-to-be 9325 <dra… Francesca Palombini
- Re: [auth48] [AD] Re: AUTH48: RFC-to-be 9325 <dra… Thomas Fossati
- Re: [auth48] [AD] Re: AUTH48: RFC-to-be 9325 <dra… Yaron Sheffer
- Re: [auth48] [AD] Re: AUTH48: RFC-to-be 9325 <dra… Peter Saint-Andre
- Re: [auth48] [AD] AUTH48: RFC-to-be 9325 <draft-i… Karen Moore
- Re: [auth48] [AD] AUTH48: RFC-to-be 9325 <draft-i… Thomas Fossati