IETF Logo Mail Archive

Re: [DNSOP] Call for Adoption: draft-belyavskiy-rfc5933-bis

Eric Rescorla <ekr@rtfm.com> Thu, 18 June 2020 16:58 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2947C3A0A4D for <dnsop@ietfa.amsl.com>; Thu, 18 Jun 2020 09:58:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EdJzroZJFTCd for <dnsop@ietfa.amsl.com>; Thu, 18 Jun 2020 09:57:59 -0700 (PDT)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27C863A09C6 for <dnsop@ietf.org>; Thu, 18 Jun 2020 09:57:59 -0700 (PDT)
Received: by mail-lj1-x233.google.com with SMTP id n24so8081594lji.10 for <dnsop@ietf.org>; Thu, 18 Jun 2020 09:57:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VN+qPPZHf5pH0oChMLlLL86VQotbGjL6T/51bJoAioA=; b=lx2ZPCwM/RrGFnnZWDWGqbk1JrK8f75VoTQXBAdaA1aEfYMWdZubgA8feQajFvhr2K M8BL04tfT6X03G8DVT/yqwEGC2rmJ7sCmGEJ0yT3EADGy0cjarZtJzi5QiSmZcW1iC/O 4zScdFRXzfmdx02n7Nth0V2UTBY3/uDNHxq+3eDoY7X5bO9tNzSYqjC7ip2NGf71s2Qw HEhZRzejWPR0/6VpFDGcq1sYa2gcNckfd3uYQ7iF+eUNReoZ08A963VlDC2GNxYThLnR rRsORDURIeZzRTKObH8TQkbaZppxR21uCP7VwRWUHqO68ytxUxYSQStYnjXj2SZsWmIc L58A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VN+qPPZHf5pH0oChMLlLL86VQotbGjL6T/51bJoAioA=; b=WwHgBcvfEJvE8nZDvTnHtyh1UfVQCvGwop+Vsl76mm/UvZLz7gSH9EQd1o//kaQmHy yMxhMClesKul4pxMxJwc/AtjE84DLu0NlCnYSZDkhwU4ee7ErnIcHH/wg8Gh6JTdAdlv Xy7H5HzmMvW1+X/iHdG2CSWxgYXV2v0FL6HNluwUKuHNaAF0AzfWuNKg3p2PigisgCIm oNF0KvE10BOFD4wZj1+A6Gvx/VG8ag8uOP8J/sb6KD0XzOOReeXvgqt4OO1Z+9N02ZEQ PRo6VaAdDsyViQI4qVeTxqr//H0bfOOdKXbt8xJ+PoFl0SW9x+vhsHF21+VUQP9ENSbd 7N5Q==
X-Gm-Message-State: AOAM53284qIna9855007A6TgqdKKEN8cvZSdpwFIJuKP+pP0/uml8FCi o+HxhqTBIMONTfwdMlG9n75IlIDkWVgDQlAznp3G5g==
X-Google-Smtp-Source: ABdhPJy/zeTZ2oNO/eyGhpSWvuH/aObcYITRe+KT8QwZjeBJiBzAbKvVgFuDT/s7ScUoHxjjqkamYapvGtZcwB2AdSM=
X-Received: by 2002:a2e:9cd4:: with SMTP id g20mr2734326ljj.371.1592499477123; Thu, 18 Jun 2020 09:57:57 -0700 (PDT)
MIME-Version: 1.0
References: <CADyWQ+H4713BnZDntTuVW0FrO59zZ9NFJ=J=n9JFFq2zmfy2pQ@mail.gmail.com> <A930F8C6-9C33-4933-AC37-579ACEF5B325@ogud.com> <7FF83D52-F20B-4FF2-82AA-416835FCA5F4@isc.org> <CADqLbzJsJ6etv-eZuabLsMO4g+XYgktgpuP-fTNSi1cFTwdOGg@mail.gmail.com> <68eb8413-8704-40a3-9765-7eb19ebd0e78@www.fastmail.com> <CABcZeBORz-ustvXvrYaMm15rAHUfA3zR8Sr3ZscLWB6YJ6-s8w@mail.gmail.com> <CADyWQ+EOcTWX6PrbQUmqM6=Z442bE7itFAG6No0b9MZdcARbOg@mail.gmail.com> <CABcZeBOwxO6=Qpoyk=_cDsP5G__3CfjKV8p+boGY4-9OX=Gh8w@mail.gmail.com> <alpine.LRH.2.22.394.2006181200300.20534@bofh.nohats.ca> <CABcZeBN-bj=YUaTEF=gWOeTEhOpC9RZBrW8Lc_2Y9_34noWk7w@mail.gmail.com> <alpine.LRH.2.22.394.2006181226310.20534@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.22.394.2006181226310.20534@bofh.nohats.ca>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 18 Jun 2020 09:57:20 -0700
Message-ID: <CABcZeBO7JLkUjAqHNdyw7f+=OMFUvz5LjrhYumXFpcYAFU9mQg@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: Tim Wicinski <tjw.ietf@gmail.com>, dnsop WG <dnsop@ietf.org>, Martin Thomson <mt@lowentropy.net>
Content-Type: multipart/alternative; boundary="000000000000a3aa7905a85ead58"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/7WuUbnLR-J61iFVu8wr9SOFhVUw>
Subject: Re: [DNSOP] Call for Adoption: draft-belyavskiy-rfc5933-bis
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jun 2020 16:58:01 -0000

On Thu, Jun 18, 2020 at 9:36 AM Paul Wouters <paul@nohats.ca> wrote:

> On Thu, 18 Jun 2020, Eric Rescorla wrote:
>
> > The way that TLS has handled this is to have the registries have a
> column called Recommended and we just mark things Y or N. This is slightly
> > different from RFC 2119 language.
> >
> > It's not that uncommon to have new stuff introduced with Recommended =
> N. In fact this is the likely outcome for the GOST cipher suites:
> > https://datatracker.ietf.org/doc/draft-smyshlyaev-tls13-gost-suites/
>
> I don't see anything like that mentioned in the IANA Considerations
> section?
> https://tools.ietf.org/html/draft-smyshlyaev-tls13-gost-suites-02#section-7
>

The relevant text is in 8447: https://tools.ietf.org/html/rfc8447#section-5

   Per this document, a "Recommended" column has been added to many of
   the TLS registries to indicate parameters that are generally
   recommended for implementations to support.  Adding a "Recommended"
   parameter (i.e., "Y") to a registry or updating a parameter to
   "Recommended" status requires Standards Action.  Not all parameters
   defined in Standards Track documents need to be marked as
   "Recommended".

As the GOST draft has an informational header and is not a TLS WG
item, I would expect any registration to have Recommended = N.



In fact, the table is specifically missing the Recommended column
> required by the IANA Registry.
>

That seems like an omission but given the above, I expect IANA can handle
it.



> As a side not, in those Security Considerations I see:
>
>     2. 0-RTT data SHOULD NOT be sent during TLS 1.3 connection.  The
>     reasons for this restriction are that the 0-RTT data is not forward
>     secret and is not resistant to replay attacks
>
> It seems that the SHOULD NOT is really a very hard MUST NOT.
>

It's not clear to me if GOST is any different than the existing TLS cipher
suites in this respect, but if not, then I'm not quite sure what the
rationale is here.

-Ekr


> As another side note, would be nice to have a link to the IANA sections
> updated in the IANA Considerations Section.
>
>
> Paul
>

v2.23.0 | Report a Bug | By Email