Re: TLS 1.1/1.2 impact on applications protocols
Mark Nottingham <mnot@mnot.net> Tue, 30 January 2007 21:50 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com)
by megatron.ietf.org with esmtp (Exim 4.43)
id 1HC0rv-0001LQ-Go; Tue, 30 Jan 2007 16:50:23 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org)
by megatron.ietf.org with esmtp (Exim 4.43) id 1HC0rt-0001LL-Fo
for discuss@apps.ietf.org; Tue, 30 Jan 2007 16:50:21 -0500
Received: from mxout-03.mxes.net ([216.86.168.178])
by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HC0ro-0000RV-Px
for discuss@apps.ietf.org; Tue, 30 Jan 2007 16:50:21 -0500
Received: from [192.168.1.102] (unknown [59.167.190.234])
(using TLSv1 with cipher AES128-SHA (128/128 bits))
(No client certificate requested)
by smtp.mxes.net (Postfix) with ESMTP id 074DC51931
for <discuss@apps.ietf.org>; Tue, 30 Jan 2007 16:50:12 -0500 (EST)
Mime-Version: 1.0 (Apple Message framework v752.2)
In-Reply-To: <000001c74490$70856c00$241e830a@vcorp.ad.vrsn.com>
References: <DD5C1C952BE6B88FBB571B04@[10.1.110.5]>
<000001c74490$70856c00$241e830a@vcorp.ad.vrsn.com>
Content-Type: multipart/mixed; boundary=Apple-Mail-6-760565169
Message-Id: <811E6993-8834-40A1-BB83-6838D60BE885@mnot.net>
X-Image-Url: http://www.mnot.net/personal/MarkNottingham.jpg
From: Mark Nottingham <mnot@mnot.net>
Subject: Re: TLS 1.1/1.2 impact on applications protocols
Date: Wed, 31 Jan 2007 08:50:09 +1100
To: Apps Discuss <discuss@apps.ietf.org>
X-Mailer: Apple Mail (2.752.2)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8f374d0786b25a451ef87d82c076f593
X-BeenThere: discuss@apps.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: general discussion of application-layer protocols
<discuss.apps.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/discuss>,
<mailto:discuss-request@apps.ietf.org?subject=unsubscribe>
List-Post: <mailto:discuss@apps.ietf.org>
List-Help: <mailto:discuss-request@apps.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/discuss>,
<mailto:discuss-request@apps.ietf.org?subject=subscribe>
Errors-To: discuss-bounces@apps.ietf.org
The language Scott references ("using the latest version supported by
both parties") seems reasonable, but I think what's being asked for
is for the latest version to automatically become MTI.
Cheers,
On 2007/01/31, at 4:02 AM, Scott Hollenbeck wrote:
>> -----Original Message-----
>> From: Chris Newman [mailto:Chris.Newman@Sun.COM]
>> Sent: Monday, January 29, 2007 11:38 PM
>> To: Apps Discuss
>> Cc: Pasi Eronen; Eric Rescorla
>> Subject: TLS 1.1/1.2 impact on applications protocols
>>
>> The changes that are happening in the TLS WG with the
>> publication of TLS 1.1 and the upcoming TLS 1.2 do have a
>> significant impact on application deployment. Many of our
>> application protocols make TLS 1.0 mandatory-to-implement.
>> I'd like to see a discussion of the importance of transition
>> to 1.2 (when it comes out) and the real-world problems that
>> might occur. Do we need to update our application protocol
>> specifications to mandate the newer version? Or perhaps we
>> need an app-area RFC which does that to a set of application
>> protocols?
>>
>> Can we just have a blanket exception to the standards status
>> (proposed/draft/full) reference rules for the TLS base spec
>> (and trust the TLS WG to do the right thing)? It seems more
>> important to keep up-to-date on security technology than to
>> have normative reference purity.
>>
>> Perhaps this would be a good topic for the Prague apparea meeting?
>
> I just ran into this very situation in the process of bringing EPP
> (RFCs
> 3730 - 3734) to Draft. The IESG was OK with a normative downward
> reference
> to TLS 1.0 and some additional text to note that the work is still
> evolving.
> Here's what we agreed to say:
>
> "When layered over TCP, the Transport Layer Security (TLS) Protocol
> version
> 1.0 [RFC2246] or its successors (such as TLS 1.1 [RFC4346]), using the
> latest version supported by both parties, MUST be used to provide
> integrity,
> confidentiality, and mutual strong client-server authentication."
>
> The reference to 2246 is normative; a downref note and exception
> processing
> was required. The reference to 4346 is informative. This approach
> worked
> because EPP does not depend on any version-specific features of
> TLS. The
> situation may well be different for other protocols.
>
> -Scott-
-- Mark Nottingham http://www.mnot.net/
- TLS 1.1/1.2 impact on applications protocols Chris Newman
- RE: TLS 1.1/1.2 impact on applications protocols Scott Hollenbeck
- Re: TLS 1.1/1.2 impact on applications protocols Mark Nottingham
- Re: TLS 1.1/1.2 impact on applications protocols Brian E Carpenter
- Re: TLS 1.1/1.2 impact on applications protocols Keith Moore