Re: TLS 1.1/1.2 impact on applications protocols
Keith Moore <moore@cs.utk.edu> Wed, 31 January 2007 13:54 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com)
by megatron.ietf.org with esmtp (Exim 4.43)
id 1HCFvM-0004c6-O7; Wed, 31 Jan 2007 08:54:56 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org)
by megatron.ietf.org with esmtp (Exim 4.43) id 1HCFvL-0004YY-7k
for discuss@apps.ietf.org; Wed, 31 Jan 2007 08:54:55 -0500
Received: from shu.cs.utk.edu ([160.36.56.39])
by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HCFvI-00056x-E1
for discuss@apps.ietf.org; Wed, 31 Jan 2007 08:54:55 -0500
Received: from localhost (localhost [127.0.0.1])
by shu.cs.utk.edu (Postfix) with ESMTP id C79D056429;
Wed, 31 Jan 2007 08:54:51 -0500 (EST)
X-Virus-Scanned: by amavisd-new with ClamAV and SpamAssasin at cs.utk.edu
Received: from shu.cs.utk.edu ([127.0.0.1])
by localhost (shu.cs.utk.edu [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id Sd-dAK9IY9nG; Wed, 31 Jan 2007 08:54:43 -0500 (EST)
Received: from [192.168.0.4] (user-119b1dm.biz.mindspring.com [66.149.133.182])
by shu.cs.utk.edu (Postfix) with ESMTP id CFCA35640D;
Wed, 31 Jan 2007 08:54:39 -0500 (EST)
Message-ID: <45C09FAC.7040007@cs.utk.edu>
Date: Wed, 31 Jan 2007 08:54:52 -0500
From: Keith Moore <moore@cs.utk.edu>
User-Agent: Thunderbird 1.5.0.9 (Macintosh/20061207)
MIME-Version: 1.0
To: Brian E Carpenter <brc@zurich.ibm.com>
Subject: Re: TLS 1.1/1.2 impact on applications protocols
References: <DD5C1C952BE6B88FBB571B04@[10.1.110.5]> <000001c74490$70856c00$241e830a@vcorp.ad.vrsn.com> <811E6993-8834-40A1-BB83-6838D60BE885@mnot.net>
<45C072D7.7060409@zurich.ibm.com>
In-Reply-To: <45C072D7.7060409@zurich.ibm.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a7d6aff76b15f3f56fcb94490e1052e4
Cc: Apps Discuss <discuss@apps.ietf.org>, Mark Nottingham <mnot@mnot.net>
X-BeenThere: discuss@apps.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: general discussion of application-layer protocols
<discuss.apps.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/discuss>,
<mailto:discuss-request@apps.ietf.org?subject=unsubscribe>
List-Post: <mailto:discuss@apps.ietf.org>
List-Help: <mailto:discuss-request@apps.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/discuss>,
<mailto:discuss-request@apps.ietf.org?subject=subscribe>
Errors-To: discuss-bounces@apps.ietf.org
> On 2007-01-30 22:50, Mark Nottingham wrote:
>> The language Scott references ("using the latest version supported by
>> both parties") seems reasonable, but I think what's being asked for is
>> for the latest version to automatically become MTI.
>
> I can imagine that creating considerable confusion for people using
> RFCs in procurement requirements and the like. Obviously it's highly
> desirable from a security PoV, but if we make RFCs refer to variable
> quantities, we create great complications for the consumers of
> our work.
on the other hand, we don't really want to re-issue entire RFCs just to
allow the incorporation of a new version of TLS, do we?
nor do I think it's reasonable to retroactively make a new version of
TLS MTI for an existing RFC number.
it might be that the easiest way out is to issue some number of
"profile" RFCs so that, for instance, RFC XXXX says "the version of FOO
that conforms to RFC XXXX consists of an implementation that conforms to
the requirements of RFC YYYY except that TLS 1.2 as described in RFC
ZZZZ MUST be used rather than another version of TLS."
the downside is that we'd be tempted to use these "profile" RFCs as an
excuse to list errata, and fixes for those errata, for each of those
protocols. this would delay publication and adoption, and perhaps invite
long drawn-out processes for second-guessing the original specification
like the one we saw in DRUMS. (not that I don't think DRUMS was a good
thing to do, but there was a tremendous amount of second-guessing rather
than just clarification, and I'm probably as guilty as anyone. I guess
it's a slippery slope between the two)
more broadly, I actually think that IF we can figure out how to avoid
that kind of second-guessing, we should for each of our be periodically
issuing a document that describes the applicability, current state of
maturity and deployment, and errata and fixes for that
specification...and that such documents should to some extent replace
our current use of standardization status as a means of recommending or
not recommending a particular protocol. that might help us make a
transition away from three stages (proposed, draft, full) to one or two.
Keith
- TLS 1.1/1.2 impact on applications protocols Chris Newman
- RE: TLS 1.1/1.2 impact on applications protocols Scott Hollenbeck
- Re: TLS 1.1/1.2 impact on applications protocols Mark Nottingham
- Re: TLS 1.1/1.2 impact on applications protocols Brian E Carpenter
- Re: TLS 1.1/1.2 impact on applications protocols Keith Moore