WG Review: Using TLS in Applications (uta)

The IESG <iesg-secretary@ietf.org> Fri, 22 November 2013 17:35 UTC

Return-Path: <iesg-secretary@ietf.org>
X-Original-To: ietf-announce@ietfa.amsl.com
Delivered-To: ietf-announce@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 38D561AE20C for <ietf-announce@ietfa.amsl.com>; Fri, 22 Nov 2013 09:35:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id xE_-gD9AeKu8 for <ietf-announce@ietfa.amsl.com>; Fri, 22 Nov 2013 09:35:54 -0800 (PST)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id D7D491AE1F6 for <ietf-announce@ietf.org>; Fri, 22 Nov 2013 09:35:54 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Subject: WG Review: Using TLS in Applications (uta)
X-Test-IDTracker: no
X-IETF-IDTracker: 4.83.p1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20131122173554.16611.88076.idtracker@ietfa.amsl.com>
Date: Fri, 22 Nov 2013 09:35:54 -0800
X-BeenThere: ietf-announce@ietf.org
X-Mailman-Version: 2.1.15
Reply-To: ietf@ietf.org
List-Id: "IETF announcement list. No discussions." <ietf-announce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf-announce/>
List-Post: <mailto:ietf-announce@ietf.org>
List-Help: <mailto:ietf-announce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Nov 2013 17:35:56 -0000

A new IETF working group has been proposed in the Applications Area. The
IESG has not made any determination yet. The following draft charter was
submitted, and is provided for informational purposes only. Please send
your comments to the IESG mailing list (iesg at ietf.org) by 2013-12-02.

Using TLS in Applications (uta)
Current Status: Proposed WG

Assigned Area Director:
  Barry Leiba <barryleiba@computer.org>


There is a renewed and urgent interest in the IETF to increase the
security of transmissions over the Internet. Many application protocols
have defined methods for using TLS to authenticate the server (and
sometimes the client), and to encrypt the connection between the client
and server. However, there is a diversity of definitions and
requirements, and that diversity has caused confusion for application
developers and also has led to lack of interoperability or lack of
deployment. Implementers and deployers are faced with multiple security
issues in real-world usage of TLS, which currently does not preclude
insecure ciphers and modes of operation.

This WG has the following tasks:

- Update the definitions for using TLS over a set of representative
application protocols.  This includes communication with proxies, between
servers, and between peers, where appropriate, in addition to
client/server communication.

- Specify a set of best practices for TLS clients and servers, including
but not limited to recommended versions of TLS, using forward secrecy,
and one or more ciphersuites and extensions that are mandatory to

- Consider, and possibly define, a standard way for an application client
and server to use unauthenticated encryption through TLS when server
and/or client authentication cannot be achieved.

- Create a document that helps application protocol developers use TLS in
future application definitions.

The initial set of representative application protocols is SMTP, POP,
IMAP, XMPP, and HTTP 1.1. It is expected that other protocols that use
TLS might later be updated using the guidelines from this WG, and that
those updates will happen through other WGs or through individual

The WG will make the fewest changes needed to achieve good interoperable
security for the applications using TLS.  No changes to TLS itself will
be made in this WG, and the WG will ensure that changes to current
versions of popular TLS libaries will not be required to conform to the
WG's specifications.

This WG will collaborate with other IETF WGs, in particular with the TLS
and DANE WGs.