Re: TLS requirements (Last Call: draft-ietf-atompub-protocol to Proposed Standard)
Eric Rescorla <ekr@networkresonance.com> Sun, 20 May 2007 20:39 UTC
Return-path: <ietf-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HpsBm-0003tc-VK; Sun, 20 May 2007 16:39:38 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HpsBl-0003p0-61; Sun, 20 May 2007 16:39:37 -0400
Received: from [209.213.211.195] (helo=delta.rtfm.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HpsBj-00033h-Oe; Sun, 20 May 2007 16:39:37 -0400
Received: from delta.rtfm.com (localhost.rtfm.com [127.0.0.1]) by delta.rtfm.com (Postfix) with ESMTP id EF2BA33C23; Sun, 20 May 2007 13:39:04 -0700 (PDT)
Date: Sun, 20 May 2007 13:39:04 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: Julian Reschke <julian.reschke@gmx.de>
In-Reply-To: <46504776.6040001@gmx.de>
References: <45F6CE12.8020703@mozilla.com> <tsllki1rpyc.fsf@cz.mit.edu> <45F6EF91.7030008@mozilla.com> <tslk5xlq8ul.fsf@cz.mit.edu> <45F6FA2A.4060409@mozilla.com> <1C0F121E56ADA47B5683D263@caldav.corp.apple.com> <45F7EC16.1030904@zurich.ibm.com> <45F7F3FC.6020306@gmx.de> <86lkhzc22x.fsf@delta.rtfm.com> <68fba5c50705181605p66298f1fh31f119185f67d8e8@mail.gmail.com> <517bf110705192034s6e4e5656r596a6f11883e6a9a@mail.gmail.com> <46504776.6040001@gmx.de>
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20070520203904.EF2BA33C23@delta.rtfm.com>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 082a9cbf4d599f360ac7f815372a6a15
Cc: Cyrus Daboo <cyrus@daboo.name>, Sam Hartman <hartmans-ietf@mit.edu>, Tim Bray <tbray@textuality.com>, ietf@ietf.org, iesg@ietf.org
Subject: Re: TLS requirements (Last Call: draft-ietf-atompub-protocol to Proposed Standard)
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Errors-To: ietf-bounces@ietf.org
At Sun, 20 May 2007 15:04:54 +0200, Julian Reschke wrote: > > Tim Bray wrote: > > On 5/18/07, Robert Sayre <sayrer@gmail.com> wrote: > >> I think the substituted text is inadequate, because it is not clear > >> which TLS version implementors MUST support. As I understand it, the > >> fact that it is "tricky", implying there may be trade-offs, is not > >> sufficient to avoid specifying a single, mandatory-to-implement TLS > >> version. > > > > Well Rob, I think the community at large and the IESG in particular > > would welcome suggestions on what to do with this one. In fact, we > > know what's going to happen: implementors will use the default TLS > > library for whatever platform they're on, and this will do the job, > > most times. However, I think that we have better-than-rough consensus > > that the specification landscape is a mess, making normative > > references a bitch, and that this will probably bite nearly > > everything in the Apps area from here on in. > > > > I hope someone with the necessary expertise will take this bull by the > > horns. -Tim > > ...and I would add that as the IESG got us into this situation, it's > their job to clarify. > > Let me add one data point... Another spec recently *approved* by the > IESG says > (<http://greenbytes.de/tech/webdav/draft-ietf-webdav-rfc2518bis-18.html#rfc.section.20.1>): > > "20.1 Authentication of Clients > > Due to their emphasis on authoring, WebDAV servers need to use > authentication technology to protect not just access to a network > resource, but the integrity of the resource as well. Furthermore, the > introduction of locking functionality requires support for authentication. > > A password sent in the clear over an insecure channel is an inadequate > means for protecting the accessibility and integrity of a resource as > the password may be intercepted. Since Basic authentication for HTTP/1.1 > performs essentially clear text transmission of a password, Basic > authentication MUST NOT be used to authenticate a WebDAV client to a > server unless the connection is secure. Furthermore, a WebDAV server > MUST NOT send a Basic authentication challenge in a WWW-Authenticate > header unless the connection is secure. An example of a secure > connection would be a Transport Layer Security (TLS) connection > employing a strong cipher suite and server authentication. > > WebDAV applications MUST support the Digest authentication scheme > [RFC2617]. Since Digest authentication verifies that both parties to a > communication know a shared secret, a password, without having to send > that secret in the clear, Digest authentication avoids the security > problems inherent in Basic authentication while providing a level of > authentication which is useful in a wide range of scenarios." > > So apparently the whole mess involving RFC2818, RFC2246 and RFC4346 is > not really required. Yes, the other option is to use Digest, which, as I recall, the Atompub WG did not want to do. -Ekr _______________________________________________ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
- TLS requirements (Last Call: draft-ietf-atompub-p… Robert Sayre
- Re: TLS requirements (Last Call: draft-ietf-atomp… Sam Hartman
- Re: TLS requirements (Last Call: draft-ietf-atomp… Robert Sayre
- Re: TLS requirements (Last Call: draft-ietf-atomp… Sam Hartman
- Re: TLS requirements (Last Call: draft-ietf-atomp… Robert Sayre
- Re: TLS requirements (Last Call: draft-ietf-atomp… Brian E Carpenter
- Re: TLS requirements (Last Call: draft-ietf-atomp… Julian Reschke
- Already Last-Called downrefs (was: ...) Pekka Savola
- Re: TLS requirements (Last Call: draft-ietf-atomp… EKR
- Re: Already Last-Called downrefs Brian E Carpenter
- Re: TLS requirements (Last Call: draft-ietf-atomp… Robert Sayre
- Re: TLS requirements (Last Call: draft-ietf-atomp… Julian Reschke
- Re: TLS requirements (Last Call: draft-ietf-atomp… Tim Bray
- Re: TLS requirements (Last Call: draft-ietf-atomp… Julian Reschke
- Re: TLS requirements (Last Call: draft-ietf-atomp… Eric Rescorla
- Re: TLS requirements (Last Call: draft-ietf-atomp… Eric Rescorla
- Re: TLS requirements (Last Call: draft-ietf-atomp… Robert Sayre
- Re: TLS requirements (Last Call: draft-ietf-atomp… Jeffrey Hutzelman
- Re: TLS requirements (Last Call: draft-ietf-atomp… Philip Guenther
- Re: TLS requirements (Last Call: draft-ietf-atomp… Brian E Carpenter
- Re: TLS requirements (Last Call: draft-ietf-atomp… Philip Guenther
- AW: Last Call: draft-ietf-geopriv-radius-lo (Carr… Doug Ewell
- Re: TLS requirements (Last Call: draft-ietf-atomp… Julian Reschke
- Re: TLS requirements (Last Call: draft-ietf-atomp… Cyrus Daboo