Re: TLS 1.1/1.2 impact on applications protocols
Brian E Carpenter <brc@zurich.ibm.com> Wed, 31 January 2007 10:43 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com)
by megatron.ietf.org with esmtp (Exim 4.43)
id 1HCCwL-0003gq-VB; Wed, 31 Jan 2007 05:43:45 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org)
by megatron.ietf.org with esmtp (Exim 4.43) id 1HCCwK-0003gi-4a
for discuss@apps.ietf.org; Wed, 31 Jan 2007 05:43:44 -0500
Received: from mtagate7.de.ibm.com ([195.212.29.156])
by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HCCwD-0007gk-Oo
for discuss@apps.ietf.org; Wed, 31 Jan 2007 05:43:44 -0500
Received: from d12nrmr1607.megacenter.de.ibm.com
(d12nrmr1607.megacenter.de.ibm.com [9.149.167.49])
by mtagate7.de.ibm.com (8.13.8/8.13.8) with ESMTP id l0VAhanB145544
for <discuss@apps.ietf.org>; Wed, 31 Jan 2007 10:43:36 GMT
Received: from d12av04.megacenter.de.ibm.com (d12av04.megacenter.de.ibm.com
[9.149.165.229])
by d12nrmr1607.megacenter.de.ibm.com (8.13.8/8.13.8/NCO v8.2) with
ESMTP id l0VAhaN61957892
for <discuss@apps.ietf.org>; Wed, 31 Jan 2007 11:43:36 +0100
Received: from d12av04.megacenter.de.ibm.com (loopback [127.0.0.1])
by d12av04.megacenter.de.ibm.com (8.12.11.20060308/8.13.3) with ESMTP
id l0VAha84001907
for <discuss@apps.ietf.org>; Wed, 31 Jan 2007 11:43:36 +0100
Received: from sihl.zurich.ibm.com (sihl.zurich.ibm.com [9.4.16.232])
by d12av04.megacenter.de.ibm.com (8.12.11.20060308/8.12.11) with ESMTP
id l0VAhZqs001898; Wed, 31 Jan 2007 11:43:36 +0100
Received: from [9.4.210.81] ([9.4.210.81])
by sihl.zurich.ibm.com (AIX4.3/8.9.3p2/8.9.3) with ESMTP id LAA284542;
Wed, 31 Jan 2007 11:43:35 +0100
Message-ID: <45C072D7.7060409@zurich.ibm.com>
Date: Wed, 31 Jan 2007 11:43:35 +0100
From: Brian E Carpenter <brc@zurich.ibm.com>
Organization: IBM
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: Mark Nottingham <mnot@mnot.net>
Subject: Re: TLS 1.1/1.2 impact on applications protocols
References: <DD5C1C952BE6B88FBB571B04@[10.1.110.5]> <000001c74490$70856c00$241e830a@vcorp.ad.vrsn.com>
<811E6993-8834-40A1-BB83-6838D60BE885@mnot.net>
In-Reply-To: <811E6993-8834-40A1-BB83-6838D60BE885@mnot.net>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: d0bdc596f8dd1c226c458f0b4df27a88
Cc: Apps Discuss <discuss@apps.ietf.org>
X-BeenThere: discuss@apps.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: general discussion of application-layer protocols
<discuss.apps.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/discuss>,
<mailto:discuss-request@apps.ietf.org?subject=unsubscribe>
List-Post: <mailto:discuss@apps.ietf.org>
List-Help: <mailto:discuss-request@apps.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/discuss>,
<mailto:discuss-request@apps.ietf.org?subject=subscribe>
Errors-To: discuss-bounces@apps.ietf.org
On 2007-01-30 22:50, Mark Nottingham wrote:
> The language Scott references ("using the latest version supported by
> both parties") seems reasonable, but I think what's being asked for is
> for the latest version to automatically become MTI.
I can imagine that creating considerable confusion for people using
RFCs in procurement requirements and the like. Obviously it's highly
desirable from a security PoV, but if we make RFCs refer to variable
quantities, we create great complications for the consumers of
our work.
Brian
>
> Cheers,
>
>
> On 2007/01/31, at 4:02 AM, Scott Hollenbeck wrote:
>
>>> -----Original Message-----
>>> From: Chris Newman [mailto:Chris.Newman@Sun.COM]
>>> Sent: Monday, January 29, 2007 11:38 PM
>>> To: Apps Discuss
>>> Cc: Pasi Eronen; Eric Rescorla
>>> Subject: TLS 1.1/1.2 impact on applications protocols
>>>
>>> The changes that are happening in the TLS WG with the
>>> publication of TLS 1.1 and the upcoming TLS 1.2 do have a
>>> significant impact on application deployment. Many of our
>>> application protocols make TLS 1.0 mandatory-to-implement.
>>> I'd like to see a discussion of the importance of transition
>>> to 1.2 (when it comes out) and the real-world problems that
>>> might occur. Do we need to update our application protocol
>>> specifications to mandate the newer version? Or perhaps we
>>> need an app-area RFC which does that to a set of application
>>> protocols?
>>>
>>> Can we just have a blanket exception to the standards status
>>> (proposed/draft/full) reference rules for the TLS base spec
>>> (and trust the TLS WG to do the right thing)? It seems more
>>> important to keep up-to-date on security technology than to
>>> have normative reference purity.
>>>
>>> Perhaps this would be a good topic for the Prague apparea meeting?
>>
>> I just ran into this very situation in the process of bringing EPP (RFCs
>> 3730 - 3734) to Draft. The IESG was OK with a normative downward
>> reference
>> to TLS 1.0 and some additional text to note that the work is still
>> evolving.
>> Here's what we agreed to say:
>>
>> "When layered over TCP, the Transport Layer Security (TLS) Protocol
>> version
>> 1.0 [RFC2246] or its successors (such as TLS 1.1 [RFC4346]), using the
>> latest version supported by both parties, MUST be used to provide
>> integrity,
>> confidentiality, and mutual strong client-server authentication."
>>
>> The reference to 2246 is normative; a downref note and exception
>> processing
>> was required. The reference to 4346 is informative. This approach
>> worked
>> because EPP does not depend on any version-specific features of TLS. The
>> situation may well be different for other protocols.
>>
>> -Scott-
>
>
> --
> Mark Nottingham http://www.mnot.net/
>
- TLS 1.1/1.2 impact on applications protocols Chris Newman
- RE: TLS 1.1/1.2 impact on applications protocols Scott Hollenbeck
- Re: TLS 1.1/1.2 impact on applications protocols Mark Nottingham
- Re: TLS 1.1/1.2 impact on applications protocols Brian E Carpenter
- Re: TLS 1.1/1.2 impact on applications protocols Keith Moore