Re: [Gen-art] RE: Gen-ART review of draft-hollenbeck-epp-rfc3734bis-04.txt
Brian E Carpenter <brc@zurich.ibm.com> Mon, 27 November 2006 07:58 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GobNZ-0008Am-4W; Mon, 27 Nov 2006 02:58:17 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GobNY-0008AN-98 for gen-art@ietf.org; Mon, 27 Nov 2006 02:58:16 -0500
Received: from mtagate4.de.ibm.com ([195.212.29.153]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GobNW-00085u-FT for gen-art@ietf.org; Mon, 27 Nov 2006 02:58:16 -0500
Received: from d12nrmr1607.megacenter.de.ibm.com (d12nrmr1607.megacenter.de.ibm.com [9.149.167.49]) by mtagate4.de.ibm.com (8.13.8/8.13.8) with ESMTP id kAR7wDic036188 for <gen-art@ietf.org>; Mon, 27 Nov 2006 07:58:13 GMT
Received: from d12av03.megacenter.de.ibm.com (d12av03.megacenter.de.ibm.com [9.149.165.213]) by d12nrmr1607.megacenter.de.ibm.com (8.13.6/8.13.6/NCO v8.1.1) with ESMTP id kAR81mMj2744414 for <gen-art@ietf.org>; Mon, 27 Nov 2006 09:01:48 +0100
Received: from d12av03.megacenter.de.ibm.com (loopback [127.0.0.1]) by d12av03.megacenter.de.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id kAR7wD0q009689 for <gen-art@ietf.org>; Mon, 27 Nov 2006 08:58:13 +0100
Received: from sihl.zurich.ibm.com (sihl.zurich.ibm.com [9.4.16.232]) by d12av03.megacenter.de.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id kAR7wCem009669; Mon, 27 Nov 2006 08:58:12 +0100
Received: from zurich.ibm.com ([9.4.210.199]) by sihl.zurich.ibm.com (AIX4.3/8.9.3p2/8.9.3) with ESMTP id IAA80078; Mon, 27 Nov 2006 08:58:11 +0100
Message-ID: <456A9A93.2040009@zurich.ibm.com>
Date: Mon, 27 Nov 2006 08:58:11 +0100
From: Brian E Carpenter <brc@zurich.ibm.com>
Organization: IBM
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113
X-Accept-Language: en, fr, de
MIME-Version: 1.0
To: Ted Hardie <hardie@qualcomm.com>
Subject: Re: [Gen-art] RE: Gen-ART review of draft-hollenbeck-epp-rfc3734bis-04.txt
References: <F222151D3323874393F83102D614E055068B88DA@CORPUSMX20A.corp.emc.com> <45696D3B.5000009@zurich.ibm.com> <p06240600c19018f623bb@[10.0.1.7]>
In-Reply-To: <p06240600c19018f623bb@[10.0.1.7]>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 17e5edc4dfd335965c1d21372171c01c
Cc: gen-art@ietf.org, shollenbeck@verisign.com, Black_David@emc.com
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
Errors-To: gen-art-bounces@ietf.org
Yes, I agree with Ted. A non-normative note seems the only way to handle this that doesn't create endless interlock. Brian Ted Hardie wrote: > We can certainly raise the issue with the Security ADs, but my take on it is > that we can go forward with this at DS with TLS 1.0 references and implementation > reports. I think we can and probably should add language which notes that > updated versions of TLS now exist and that new or updated implementations > should consider those, given that they allow backwards compatibility. > > I would not want to halt advancement of the document now to shift this to > 1.1; that seems to create the worst kind of lockstep, since it means that > the stability is never guaranteed. I would far prefer to see this re-cycle > at draft some time in the future once the use of TLS 1.1 in this context justifies > that change. > > Ted > At 11:32 AM +0100 11/26/06, Brian E Carpenter wrote: > >>Yes, if it's a change in the spec, that would need implementation >>reports specifically calling out TLS 1.1. I have difficulty >>seeing how to handle it as a normative requirement at DS >>without that. >> >> Brian >> >>Black_David@emc.com wrote: >> >>>Scott, >>>That sounds fine - my recommendation is not to disallow the >>>implementations that did TLS 1.0 according to 3734, but rather >>>require new implementations that follow 3734bis to support >>>TLS 1.1 in addition to TLS 1.0 (and prefer TLS 1.1 when there's >>>a choice). This is definitely a topic on which Ted's input >>>is important. >>>Thanks, >>>--David >>> >>> >>>________________________________ >>> >>> From: Hollenbeck, Scott [mailto:shollenbeck@verisign.com] Sent: Friday, November 24, 2006 1:48 PM >>> To: Black, David; gen-art@ietf.org >>> Cc: hardie@qualcomm.com >>> Subject: RE: Gen-ART review of >>>draft-hollenbeck-epp-rfc3734bis-04.txt >>> >>> >>> >>> David, >>> >>> I understand GenArt reviews. I was an IESG member myself not >>>too long ago. >>> >>> I'm also well aware of TLS 1.1. The problem I have is that >>>changing the reference now adds a new requirement to implementations >>>that didn't exist when 3734 was first approved. That's what I want to >>>talk to Ted about. >>> >>> -Scott- >>> >>> -----Original Message----- >>> From: Black_David@emc.com [mailto:Black_David@emc.com] >>> Sent: Friday, November 24, 2006 12:55 PM Eastern Standard Time >>> To: Hollenbeck, Scott; gen-art@ietf.org >>> Cc: hardie@qualcomm.com; Black_David@emc.com >>> Subject: RE: Gen-ART review of >>>draft-hollenbeck-epp-rfc3734bis-04.txt >>> >>> Scott, >>> >>> > I need to confirm Ted's reaction before doing anything with >>> > this review. >>> >>> That's a fine response, as the review says: >>> >>> > > Please wait for direction from your document shepherd >>> > > or AD before posting a new version of the draft. >>> >>> With regards to timing: >>> >>> > The last call period ended on 11 November and I've already >>> > updated the documents to reflect comments received as a result >>> > of the last call. >>> >>> This is not a GenART IETF Last Call review. Usually, GenART >>> tries to provide an IETF Last Call review, but that doesn't >>> appear to have happened for this draft. The GenART reviewers >>> are human, and "stuff" happens ;-). >>> >>> This GenART review is intended as input to the position that the >>> General Area Director will take on the IESG ballot for approval >>> of the draft, and FWIW, the General AD doesn't always agree 100% >>> with his reviewers ;-). If knowing what that ballot position >>> will be matters, Ted should follow up directly with Brian to >>> understand Brian's view of these comments. >>> >>> FWIW, I would hope that one of the Security ADs would point out >>> the existence of TLS 1.1, in addition to this input to the >>> General AD. My understanding is that the primary purpose of >>> TLS 1.1 was to prevent some attacks on the CBC usage in TLS >>> 1.0, and hence there's a preference for implementations to >>> move to TLS 1.1 as quickly as reasonably possible. >>> >>> Thanks, >>> --David >>> >>> > -----Original Message----- >>> > From: Hollenbeck, Scott [mailto:shollenbeck@verisign.com] >>> > Sent: Friday, November 24, 2006 12:28 PM >>> > To: Black, David; gen-art@ietf.org >>> > Cc: hardie@qualcomm.com >>> > Subject: RE: Gen-ART review of >>>draft-hollenbeck-epp-rfc3734bis-04.txt >>> > >>> > I need to confirm Ted's reaction before doing anything with >>>this >>> review. >>> > The last call period ended on 11 November and I've already >>>updated the >>> > documents to reflect comments received as a result of the last >>>call. >>> > >>> > -Scott- >>> > >>> > > -----Original Message----- >>> > > From: Black_David@emc.com [mailto:Black_David@emc.com] >>> > > Sent: Friday, November 24, 2006 12:10 PM >>> > > To: gen-art@ietf.org; Hollenbeck, Scott >>> > > Cc: Black_David@emc.com; hardie@qualcomm.com >>> > > Subject: Gen-ART review of >>>draft-hollenbeck-epp-rfc3734bis-04.txt >>> > > >>> > > I have been selected as the General Area Review Team >>>(Gen-ART) >>> > > reviewer for this draft (for background on Gen-ART, please >>>see >>> > > http://www.alvestrand.no/ietf/gen/art/gen-art-FAQ.html). >>> > > >>> > > Please wait for direction from your document shepherd >>> > > or AD before posting a new version of the draft. >>> > > >>> > > Document: draft-hollenbeck-epp-rfc3734bis-04.txt >>> > > Reviewer: David Black >>> > > Review Date: 24 November 2006 >>> > > IESG Telechat date: 30 November 2006 >>> > > >>> > > Summary: >>> > > This drafts is on the right track, but has open issues, >>> > > described in the review. >>> > > >>> > > Comments: >>> > > This is a small update to the existing RFC 3734. The one >>> > > open issue is the need to deal with the fact that TLS has >>> > > been updated since RFC 3734 was published; this is almost >>> > > a nit, but it does require attention. >>> > > >>> > > The TLS requirement is "must use", not just "must implement" >>> > > - that requirement is already present in RFC 3734, and is >>> > > justified by EPP having a weak "password in the clear" >>> > > mechanism as the only means of authentication. >>> > > >>> > > TLS has evolved since RFC 3734 was published. This 3734bis >>> > > draft references RFC 2246, which specifies TLS 1.0. TLS 1.1 >>> > > has now been specified by RFC 4346, and that RFC needs to be >>> > > referenced. In addition, the version usage requirements for >>> > > TLS 1.0 vs. TLS 1.1 need to be specified. >>> > > >>> > > I would say that one of TLS 1.0 or TLS 1.1 MUST be used, TLS >>> > > 1.1 SHOULD be used, and TLS 1.1 implementations MUST >>> > > correctly negotiate use of TLS 1.0 when that is necessary >>> > > (this negotiation is already specified in RFC 4346). The >>> > > result should be that implementations developed in >>>accordance >>> > > with RFC 3734 are allowed to use TLS 1.0 for backwards >>> > > compatibility and that all servers MUST use TLS 1.0 when a >>> > > client does not support TLS 1.1, as indicated in the TLS >>> > > Client Hello message. >>> > > >>> > > While not absolutely necessary, it would help implementers >>> > > to also say that these TLS requirements prohibit use of SSL >>>2 >>> > > and SSL 3, and they specifically prohibit use of the SSL 2 >>> > > ciphersuites and the SSL 2 Client Hello message that are >>> > > specified in Appendix E of RFC 4346. This is worth calling >>> > > out because SSL 2 has significant security weaknesses by >>> > > comparison to SSL 3 and TLS - removing SSL 2 support >>>entirely >>> > > is among the best ways to ensure that it is not used. >>> > > >>> > > Thanks, >>> > > --David >>> > > ---------------------------------------------------- >>> > > David L. Black, Senior Technologist >>> > > EMC Corporation, 176 South St., Hopkinton, MA 01748 >>> > > +1 (508) 293-7953 FAX: +1 (508) 293-7786 >>> > > black_david@emc.com Mobile: +1 (978) 394-7754 >>> > > ---------------------------------------------------- >>> >>> >>> >>> >>> >>> >>>------------------------------------------------------------------------ >>> >>>_______________________________________________ >>>Gen-art mailing list >>>Gen-art@ietf.org >>>https://www1.ietf.org/mailman/listinfo/gen-art > > _______________________________________________ Gen-art mailing list Gen-art@ietf.org https://www1.ietf.org/mailman/listinfo/gen-art
- [Gen-art] RE: Gen-ART review of draft-hollenbeck-… Black_David
- [Gen-art] Gen-ART review of draft-hollenbeck-epp-… Black_David
- [Gen-art] RE: Gen-ART review of draft-hollenbeck-… Hollenbeck, Scott
- [Gen-art] RE: Gen-ART review of draft-hollenbeck-… Black_David
- [Gen-art] RE: Gen-ART review of draft-hollenbeck-… Hollenbeck, Scott
- Re: [Gen-art] RE: Gen-ART review of draft-hollenb… Brian E Carpenter
- Re: [Gen-art] RE: Gen-ART review of draft-hollenb… Ted Hardie
- Re: [Gen-art] RE: Gen-ART review of draft-hollenb… Brian E Carpenter
- RE: [Gen-art] RE: Gen-ART review ofdraft-hollenbe… Black_David