IETF Logo Mail Archive

Re: TLS requirements (Last Call: draft-ietf-atompub-protocol to Proposed Standard)

Eric Rescorla <ekr@networkresonance.com> Sun, 20 May 2007 20:39 UTC

Return-path: <ietf-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HpsBm-0003tc-VK; Sun, 20 May 2007 16:39:38 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HpsBl-0003p0-61; Sun, 20 May 2007 16:39:37 -0400
Received: from [209.213.211.195] (helo=delta.rtfm.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HpsBj-00033h-Oe; Sun, 20 May 2007 16:39:37 -0400
Received: from delta.rtfm.com (localhost.rtfm.com [127.0.0.1]) by delta.rtfm.com (Postfix) with ESMTP id EF2BA33C23; Sun, 20 May 2007 13:39:04 -0700 (PDT)
Date: Sun, 20 May 2007 13:39:04 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: Julian Reschke <julian.reschke@gmx.de>
In-Reply-To: <46504776.6040001@gmx.de>
References: <45F6CE12.8020703@mozilla.com> <tsllki1rpyc.fsf@cz.mit.edu> <45F6EF91.7030008@mozilla.com> <tslk5xlq8ul.fsf@cz.mit.edu> <45F6FA2A.4060409@mozilla.com> <1C0F121E56ADA47B5683D263@caldav.corp.apple.com> <45F7EC16.1030904@zurich.ibm.com> <45F7F3FC.6020306@gmx.de> <86lkhzc22x.fsf@delta.rtfm.com> <68fba5c50705181605p66298f1fh31f119185f67d8e8@mail.gmail.com> <517bf110705192034s6e4e5656r596a6f11883e6a9a@mail.gmail.com> <46504776.6040001@gmx.de>
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20070520203904.EF2BA33C23@delta.rtfm.com>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 082a9cbf4d599f360ac7f815372a6a15
Cc: Cyrus Daboo <cyrus@daboo.name>, Sam Hartman <hartmans-ietf@mit.edu>, Tim Bray <tbray@textuality.com>, ietf@ietf.org, iesg@ietf.org
Subject: Re: TLS requirements (Last Call: draft-ietf-atompub-protocol to Proposed Standard)
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Errors-To: ietf-bounces@ietf.org

At Sun, 20 May 2007 15:04:54 +0200,
Julian Reschke wrote:
> 
> Tim Bray wrote:
> > On 5/18/07, Robert Sayre <sayrer@gmail.com> wrote:
> >> I think the substituted text is inadequate, because it is not clear
> >> which TLS version implementors MUST support. As I understand it, the
> >> fact that it is "tricky", implying there may be trade-offs, is not
> >> sufficient to avoid specifying a single, mandatory-to-implement TLS
> >> version.
> > 
> > Well Rob, I think the community at large and the IESG in particular
> > would welcome suggestions on what to do with this one.  In fact, we
> > know what's going to happen: implementors will use the default TLS
> > library for whatever platform they're on, and this will do the job,
> > most times.  However, I think that we have better-than-rough consensus
> > that the specification landscape is a mess, making normative
> > references  a bitch, and that this will probably bite nearly
> > everything in the Apps area from here on in.
> > 
> > I hope someone with the necessary expertise will take this bull by the
> > horns.  -Tim
> 
> ...and I would add that as the IESG got us into this situation, it's 
> their job to clarify.
> 
> Let me add one data point... Another spec recently *approved* by the 
> IESG says 
> (<http://greenbytes.de/tech/webdav/draft-ietf-webdav-rfc2518bis-18.html#rfc.section.20.1>):
> 
> "20.1 Authentication of Clients
> 
> Due to their emphasis on authoring, WebDAV servers need to use 
> authentication technology to protect not just access to a network 
> resource, but the integrity of the resource as well. Furthermore, the 
> introduction of locking functionality requires support for authentication.
> 
> A password sent in the clear over an insecure channel is an inadequate 
> means for protecting the accessibility and integrity of a resource as 
> the password may be intercepted. Since Basic authentication for HTTP/1.1 
> performs essentially clear text transmission of a password, Basic 
> authentication MUST NOT be used to authenticate a WebDAV client to a 
> server unless the connection is secure. Furthermore, a WebDAV server 
> MUST NOT send a Basic authentication challenge in a WWW-Authenticate 
> header unless the connection is secure. An example of a secure 
> connection would be a Transport Layer Security (TLS) connection 
> employing a strong cipher suite and server authentication.
> 
> WebDAV applications MUST support the Digest authentication scheme 
> [RFC2617]. Since Digest authentication verifies that both parties to a 
> communication know a shared secret, a password, without having to send 
> that secret in the clear, Digest authentication avoids the security 
> problems inherent in Basic authentication while providing a level of 
> authentication which is useful in a wide range of scenarios."
> 
> So apparently the whole mess involving RFC2818, RFC2246 and RFC4346 is 
> not really required.

Yes, the other option is to use Digest, which, as I recall, the Atompub
WG did not want to do.

-Ekr

_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

v2.23.0 | Report a Bug | By Email