Fwd: Wording for strict vs implicit TLS in <draft-elie-nntp-tls-recommendations-01.txt>
Julien ÉLIE <julien@trigofacile.com> Fri, 23 December 2016 20:24 UTC
Return-Path: <julien@trigofacile.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8176D1294FD for <ietf@ietfa.amsl.com>; Fri, 23 Dec 2016 12:24:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7QajY4CnKY8n for <ietf@ietfa.amsl.com>; Fri, 23 Dec 2016 12:24:06 -0800 (PST)
Received: from smtp.smtpout.orange.fr (smtp03.smtpout.orange.fr [80.12.242.125]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C72B1293E0 for <ietf@ietf.org>; Fri, 23 Dec 2016 12:24:05 -0800 (PST)
Received: from macbook-pro-de-julien-elie.home ([92.170.5.52]) by mwinf5d38 with ME id PYQ21u00a17Lgi403YQ33m; Fri, 23 Dec 2016 21:24:03 +0100
X-ME-Helo: macbook-pro-de-julien-elie.home
X-ME-Auth: anVsaWVuLmVsaWU0ODdAd2FuYWRvby5mcg==
X-ME-Date: Fri, 23 Dec 2016 21:24:03 +0100
X-ME-IP: 92.170.5.52
Subject: Fwd: Wording for strict vs implicit TLS in <draft-elie-nntp-tls-recommendations-01.txt>
References: <d43e958e-951c-1106-da2d-cb32be3e5b3b@trigofacile.com>
To: ietf@ietf.org
From: Julien ÉLIE <julien@trigofacile.com>
Organization: TrigoFACILE -- http://www.trigofacile.com/
X-Forwarded-Message-Id: <d43e958e-951c-1106-da2d-cb32be3e5b3b@trigofacile.com>
Message-ID: <ad470231-fb77-07e0-fba5-9579fde84282@trigofacile.com>
Date: Fri, 23 Dec 2016 21:24:03 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <d43e958e-951c-1106-da2d-cb32be3e5b3b@trigofacile.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/87t6QDPKj1mT8JIz7qzpSSX3twc>
Cc: draft-elie-nntp-tls-recommendations.all@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Dec 2016 20:24:08 -0000
Hi, FYI, I'll take into account for the revised version of draft-elie-nntp-tls-recommendations the comment Viktor gave in the UTA mailing-list. The terminology for "TLS negotiation immediately upon connection on a separate port" is not consistent between RFCs. RFC 7525 uses "strict TLS" (and unfortunately does not define the term). RFC 7672 uses "mandatory TLS". draft-ietf-uta-email-deep uses "implicit TLS". As I believe "implicit TLS" is the most accurate wording, I'll also use that term for draft-elie-nntp-tls-recommendations. -- Julien ÉLIE -------- Message transféré -------- Sujet : Re: [Uta] draft-ietf-uta-email-deep-05: wording about strict vs implicit TLS Date : Thu, 22 Dec 2016 17:07:07 +0100 De : Julien ÉLIE <julien@trigofacile.com> Organisation : TrigoFACILE -- http://www.trigofacile.com/ Pour : uta@ietf.org Hi Viktor, >> draft-ietf-uta-email-deep-05 defines "Implicit TLS" in Section 4: >> 'amechanism where TLS is negotiated immediately at connection start on a >> separate port (referred to in this document as "Implicit TLS")' > > This choice of language is sensible, since the use of TLS is implicit > in the (choice of) transport endpoint, rather than explicitly negotiated > via STARTTLS. > >> whereas published RFC 7525 uses the terminology "strict TLS". It is the title of >> Section 3.2, which mentions 'a choice between strict TLS configuration and dynamic >> upgrade from unencrypted to TLS-protected traffic (such as STARTTLS)'. > > While the language in 7525 is unfortunate, since 'strict TLS' is not > clearly defined in that document, and the name suggests that it is an > alternative to 'opportunistic TLS', rather than an alternative to > STARTTLS. While STARTTLS is often used opportunistically, that is not > always the case. While RFC 7672 calls this "mandatory TLS", I would > expect "strict" and "mandatory" to be synonymous. I perfectly understand your arguments, and I agree with you. Shouldn't an erratum be added to RFC 7525 so as to at least add a definition of "strict TLS"? It is indeed missing! I've updated the wording in draft-elie-nntp-tls-recommendations so as to use "implicit TLS" like draft-ietf-uta-email-deep. In particular, this document updates [RFC4642] by specifying that NNTP implementations and deployments MUST follow the best current practices documented in the "Recommendations for Secure Use of TLS and DTLS" [RFC7525]. This includes stronger recommendations regarding SSL/TLS protocol versions, fallback to lower versions, TLS negotiation immediately upon connection on a separate port (referred to in this document as "implicit TLS"), TLS-level compression, TLS session resumption, cipher suites, public key lengths, forward secrecy, and other aspects of using TLS with NNTP. [...] o NNTP implementations and deployments SHOULD prefer implicit TLS and therefore use strict TLS configuration (Section 3.2 of [RFC7525]), that is to say they SHOULD use a port dedicated to NNTP over TLS, and begin the TLS negotiation immediately upon connection (contrary to a dynamic upgrade from unencrypted to TLS- protected traffic via the use of the STARTTLS command, as Section 1 of [RFC4642] was encouraging). For the same reasons, transposed to NNTP, as those given in Appendix A of [MUA-STS] (whose one of the authors was also one of the authors of [RFC4642]), implicit TLS is the preferred way of using TLS with NNTP. It is the only paragraph where I still mention "strict TLS configuration" because I reference RFC 7525. In all other parts of the draft, only "implicit TLS" terminology is now used. Thanks for your suggestion! -- Julien ÉLIE « J'ai le pied gauche qui est jaloux du pied droit. Quand j'avance le pied droit, le pied gauche, qui ne veut pas rester en arrière… passe devant… le pied droit en fait autant… et moi… comme un imbécile… je marche. » (Raymond Devos) _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
- Fwd: Wording for strict vs implicit TLS in <draft… Julien ÉLIE
- Re: Fwd: Wording for strict vs implicit TLS in <d… Viktor Dukhovni