IETF Logo Mail Archive

Re: TLS requirements (Last Call: draft-ietf-atompub-protocol to Proposed Standard)

Julian Reschke <julian.reschke@gmx.de> Sun, 20 May 2007 13:05 UTC

Return-path: <ietf-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Hpl5y-00038v-L9; Sun, 20 May 2007 09:05:10 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Hpl5x-00038e-3k for ietf@ietf.org; Sun, 20 May 2007 09:05:09 -0400
Received: from mail.gmx.net ([213.165.64.20]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1Hpl5v-0002LW-L0 for ietf@ietf.org; Sun, 20 May 2007 09:05:09 -0400
Received: (qmail invoked by alias); 20 May 2007 13:05:06 -0000
Received: from p508FA954.dip0.t-ipconnect.de (EHLO [192.168.178.22]) [80.143.169.84] by mail.gmx.net (mp033) with SMTP; 20 May 2007 15:05:06 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX1/EREhoyS7EPHNYc+sGIibcgxrrastq+Eyli9368s xE4QDyRtEhrTi0
Message-ID: <46504776.6040001@gmx.de>
Date: Sun, 20 May 2007 15:04:54 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.4) Gecko/20060516 Thunderbird/1.5.0.4 Mnenhy/0.7.4.666
MIME-Version: 1.0
To: Tim Bray <tbray@textuality.com>
References: <45F6CE12.8020703@mozilla.com> <tsllki1rpyc.fsf@cz.mit.edu> <45F6EF91.7030008@mozilla.com> <tslk5xlq8ul.fsf@cz.mit.edu> <45F6FA2A.4060409@mozilla.com> <1C0F121E56ADA47B5683D263@caldav.corp.apple.com> <45F7EC16.1030904@zurich.ibm.com> <45F7F3FC.6020306@gmx.de> <86lkhzc22x.fsf@delta.rtfm.com> <68fba5c50705181605p66298f1fh31f119185f67d8e8@mail.gmail.com> <517bf110705192034s6e4e5656r596a6f11883e6a9a@mail.gmail.com>
In-Reply-To: <517bf110705192034s6e4e5656r596a6f11883e6a9a@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 5a9a1bd6c2d06a21d748b7d0070ddcb8
Cc: Cyrus Daboo <cyrus@daboo.name>, ietf@ietf.org, Sam Hartman <hartmans-ietf@mit.edu>, iesg@ietf.org
Subject: Re: TLS requirements (Last Call: draft-ietf-atompub-protocol to Proposed Standard)
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Errors-To: ietf-bounces@ietf.org

Tim Bray wrote:
> On 5/18/07, Robert Sayre <sayrer@gmail.com> wrote:
>> I think the substituted text is inadequate, because it is not clear
>> which TLS version implementors MUST support. As I understand it, the
>> fact that it is "tricky", implying there may be trade-offs, is not
>> sufficient to avoid specifying a single, mandatory-to-implement TLS
>> version.
> 
> Well Rob, I think the community at large and the IESG in particular
> would welcome suggestions on what to do with this one.  In fact, we
> know what's going to happen: implementors will use the default TLS
> library for whatever platform they're on, and this will do the job,
> most times.  However, I think that we have better-than-rough consensus
> that the specification landscape is a mess, making normative
> references  a bitch, and that this will probably bite nearly
> everything in the Apps area from here on in.
> 
> I hope someone with the necessary expertise will take this bull by the
> horns.  -Tim

...and I would add that as the IESG got us into this situation, it's 
their job to clarify.

Let me add one data point... Another spec recently *approved* by the 
IESG says 
(<http://greenbytes.de/tech/webdav/draft-ietf-webdav-rfc2518bis-18.html#rfc.section.20.1>):

"20.1 Authentication of Clients

Due to their emphasis on authoring, WebDAV servers need to use 
authentication technology to protect not just access to a network 
resource, but the integrity of the resource as well. Furthermore, the 
introduction of locking functionality requires support for authentication.

A password sent in the clear over an insecure channel is an inadequate 
means for protecting the accessibility and integrity of a resource as 
the password may be intercepted. Since Basic authentication for HTTP/1.1 
performs essentially clear text transmission of a password, Basic 
authentication MUST NOT be used to authenticate a WebDAV client to a 
server unless the connection is secure. Furthermore, a WebDAV server 
MUST NOT send a Basic authentication challenge in a WWW-Authenticate 
header unless the connection is secure. An example of a secure 
connection would be a Transport Layer Security (TLS) connection 
employing a strong cipher suite and server authentication.

WebDAV applications MUST support the Digest authentication scheme 
[RFC2617]. Since Digest authentication verifies that both parties to a 
communication know a shared secret, a password, without having to send 
that secret in the clear, Digest authentication avoids the security 
problems inherent in Basic authentication while providing a level of 
authentication which is useful in a wide range of scenarios."

So apparently the whole mess involving RFC2818, RFC2246 and RFC4346 is 
not really required.

Best regards, Julian


_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

v2.23.0 | Report a Bug | By Email