IETF Logo Mail Archive

Gen-Art LC review: draft-ietf-uta-tls-bcp-08

Robert Sparks <rjsparks@nostrum.com> Mon, 02 February 2015 19:03 UTC

Return-Path: <rjsparks@nostrum.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F37BE1A893F; Mon, 2 Feb 2015 11:03:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.79
X-Spam-Level:
X-Spam-Status: No, score=0.79 tagged_above=-999 required=5 tests=[BAYES_50=0.8, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Aop9NaS4Mg26; Mon, 2 Feb 2015 11:03:52 -0800 (PST)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1DF8E1A883F; Mon, 2 Feb 2015 11:03:48 -0800 (PST)
Received: from unnumerable.local (pool-71-96-107-228.dllstx.fios.verizon.net [71.96.107.228]) (authenticated bits=0) by nostrum.com (8.14.9/8.14.7) with ESMTP id t12J3lqC030823 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 2 Feb 2015 13:03:48 -0600 (CST) (envelope-from rjsparks@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host pool-71-96-107-228.dllstx.fios.verizon.net [71.96.107.228] claimed to be unnumerable.local
Message-ID: <54CFCA0E.8090406@nostrum.com>
Date: Mon, 02 Feb 2015 13:03:42 -0600
From: Robert Sparks <rjsparks@nostrum.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: General Area Review Team <gen-art@ietf.org>, uta@ietf.org, draft-ietf-uta-tls-bcp@ietf.org, ietf@ietf.org
Subject: Gen-Art LC review: draft-ietf-uta-tls-bcp-08
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/V4cw_uYNfS2h-Fjp9zmy0yB5ja8>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Feb 2015 19:03:54 -0000

I am the assigned Gen-ART reviewer for this draft. For background on
Gen-ART, please see the FAQ at

<http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.

Please resolve these comments along with any other Last Call comments
you may receive.

Document: draft-ietf-uta-tls-bcp-08
Reviewer: Robert Sparks
Review Date: 2 Feb 2015
IETF LC End Date: 10 Feb 2015
IESG Telechat date: 19 Feb 2015

Summary: Basically Ready for publication as BCP, but with nits that 
should be considered before publication.

This is a well structured and fairly easy to follow document. The 
intended status (BCP, as opposed to, say, AS) is exactly right.

There are a few nits that should be considered:

Larger nits:

* Section 3.1.1 says "SHOULD NOT negotiate TLS version 1.1", but section 
3.1.2 says "MAY negotiate DTLS 1.0", and goes on to say "Version 1.0 of 
DTLS corresponds to version 1.1 of TLS". This seems inconsistent. Should 
that MAY be a SHOULD NOT?

* In section 4.1, you have requirements like "MUST NOT negotiate RC4". 
This formulation is good in that it doesn't say anything about 
implementing algorithms like RC4 or not. There will be natural pressure 
to stop implementing algorithms you must not use. But it feels 
problematic when you use the same structure at "MUST NOT negotiate the 
cipher suites with NULL encryption". Would it be worth pointing out here 
that this isn't a suggestion to push back on _implementing_ such cipher 
suites?

* Since Pete's the sponsoring AD, I have to point at the MUST in section 
5.1 as something that should be changed to not use a 2119 word. I 
suggest replacing the sentence with something like "If deployers deviate 
... they are almost certainly giving up one of the foregoing..."

Very small nits:

* In the last paragraph of 3.1.1, "This BCP applies to TLS 1.2" could be 
misconstrued to mean it does not apply to the other protocols listed 
above it (like TLS 1.1). Its point is to say that the document doesn't 
consider _future_ versions. Perhaps something like "This BCP applies to 
the protocol listed above, ending with TLS 1.2" instead?

* In the second bullet in 3.2 it's not clear whether you're saying _all_ 
Application clients SHOULD use TLS by default, or if you meant to 
constrain that recommendation to clients that have a configuration 
option to use TLS even if the server doesn't offer it.

* In section 3.5's last sentence, "may be simplest" is not clear. Does 
simple mean "easy to code" or "less likely to make it less secure" or 
something else? Would "may be safest" (or safer) say what you want?

* Section 4.1 first paragraph: The second sentence is convoluted. Can it 
be split into simple sentences?

* Section 4.1 first paragraph: The third sentence feels like it's 
arguing for having the document - "much needed" was particularly 
catching. Could it be replaced with something more like "this document 
provides recommendations based on the the experience obtained over these 
decades"?

* Section 4.2, last paragraph before entering 4.2.1: "This BCP does not 
cover such devices." is ambiguous. It's not clear if it was intended to 
only be talking about "devices that do not support public key 
cryptography at all" (which is what was intended, I believe), or if it 
includes "devices (that) have hardware support for AES-CCM but not AES-GCM.

* Section 4.3: Is there a reference you can point to for the authority 
for "sufficient for at least the next 10 years", or is it the intent 
that this document become that authoritative statement?

* The Applicability Statement (in section 5) says things like "web 
servers" where perhaps it should say "web services"?. There are a lot of 
client recommendations in the document. The section also seems to scope 
the audience firmly to operators, but you have some implementer and a 
little bit of user guidance in here as well.

* There is a word missing near "allow to derive" in the second to last 
paragraph of 7.3

* The first paragraph of 7.5 has an unusual tone for a BCP (and for the 
rest of this document). It says (paraphrasing) "we can't recommend 
anything", but then goes on to recommend things. Perhaps it would work 
better reformulated as "The following recommendations represent the 
current state of the art, even though this is not a complete and 
efficient solution for..."

* The discussion of OCSP stapling in the second to last paragraph of 7.5 
has suffered some edit-itis? It seems to say SHOULD support OCSP 
stapling in both the first and third sentences.

* The target of "foregoing considerations" in the last paragraph of 7.5 
is ambiguous. Do you mean all of 7.5?

* Some of the normative vs informative reference choices are puzzling. 
Why, for instance, is 6167 (prohibiting SSLv2) normative, while 
tls-prohibiting-rc4 is informative. Why are the references to things 
like TLS 1.0 informative while TLS 1.2 is normative?

v2.23.0 | Report a Bug | By Email