IETF Logo Mail Archive

Re: Gen-Art LC review: draft-ietf-uta-tls-bcp-08

Robert Sparks <rjsparks@nostrum.com> Mon, 02 February 2015 19:45 UTC

Return-Path: <rjsparks@nostrum.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2436B1A893F; Mon, 2 Feb 2015 11:45:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.39
X-Spam-Level:
X-Spam-Status: No, score=0.39 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MANGLED_DIET=2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nG6gVmq1zGHF; Mon, 2 Feb 2015 11:45:19 -0800 (PST)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEFCF1A0103; Mon, 2 Feb 2015 11:45:18 -0800 (PST)
Received: from unnumerable.local (pool-71-96-107-228.dllstx.fios.verizon.net [71.96.107.228]) (authenticated bits=0) by nostrum.com (8.14.9/8.14.7) with ESMTP id t12JjDsK034794 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 2 Feb 2015 13:45:13 -0600 (CST) (envelope-from rjsparks@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host pool-71-96-107-228.dllstx.fios.verizon.net [71.96.107.228] claimed to be unnumerable.local
Message-ID: <54CFD3C4.9030309@nostrum.com>
Date: Mon, 02 Feb 2015 13:45:08 -0600
From: Robert Sparks <rjsparks@nostrum.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Peter Saint-Andre - &yet <peter@andyet.net>, General Area Review Team <gen-art@ietf.org>, uta@ietf.org, draft-ietf-uta-tls-bcp@ietf.org, ietf@ietf.org
Subject: Re: Gen-Art LC review: draft-ietf-uta-tls-bcp-08
References: <54CFCA0E.8090406@nostrum.com> <54CFCFBB.6000809@andyet.net>
In-Reply-To: <54CFCFBB.6000809@andyet.net>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/kiEDoWOiS3J7jkSJ1q_x7Bb-CsA>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Feb 2015 19:45:20 -0000

On 2/2/15 1:27 PM, Peter Saint-Andre - &yet wrote:
> Hi Robert, thanks for the review. Comments inline.
>
> On 2/2/15 12:03 PM, Robert Sparks wrote:
>> I am the assigned Gen-ART reviewer for this draft. For background on
>> Gen-ART, please see the FAQ at
>>
>> <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
>>
>> Please resolve these comments along with any other Last Call comments
>> you may receive.
>>
>> Document: draft-ietf-uta-tls-bcp-08
>> Reviewer: Robert Sparks
>> Review Date: 2 Feb 2015
>> IETF LC End Date: 10 Feb 2015
>> IESG Telechat date: 19 Feb 2015
>>
>> Summary: Basically Ready for publication as BCP, but with nits that 
>> should be considered before publication.
>>
>> This is a well structured and fairly easy to follow document. The 
>> intended status (BCP, as opposed to, say, AS) is exactly right.
>>
>> There are a few nits that should be considered:
>>
>> Larger nits:
>>
>> * Section 3.1.1 says "SHOULD NOT negotiate TLS version 1.1", but 
>> section 3.1.2 says "MAY negotiate DTLS 1.0", and goes on to say 
>> "Version 1.0 of DTLS corresponds to version 1.1 of TLS". This seems 
>> inconsistent. Should that MAY be a SHOULD NOT?
> Your suggestion seems reasonable to me. I have a vague recollection 
> that we had talked about making just that change (and apparently 
> neglected to do so), but I will double-check with my co-authors to 
> verify.
>>
>> * In section 4.1, you have requirements like "MUST NOT negotiate 
>> RC4". This formulation is good in that it doesn't say anything about 
>> implementing algorithms like RC4 or not. There will be natural 
>> pressure to stop implementing algorithms you must not use. But it 
>> feels problematic when you use the same structure at "MUST NOT 
>> negotiate the cipher suites with NULL encryption". Would it be worth 
>> pointing out here that this isn't a suggestion to push back on 
>> _implementing_ such cipher suites?
> Are you (a) noting that we might want to be explicit about the fact 
> that we're not talking about implementation of such suites, or (b) 
> suggesting that we might want to say something stronger by actively 
> discouraging implementation of such suites?
(a).
In particular, I don't think you _want_ to discourage implementation of 
those suites. You may want the code out there for debugging purposes. 
You just want to be sure the deployed code is configured to not 
negotiate them.
>>
>> * Since Pete's the sponsoring AD, I have to point at the MUST in 
>> section 5.1 as something that should be changed to not use a 2119 
>> word. I suggest replacing the sentence with something like "If 
>> deployers deviate ... they are almost certainly giving up one of the 
>> foregoing..."
> Yes, something along those lines would be better.
>> Very small nits:
> The authors will work to improve the text on the points you have 
> raised. If you would like us to propose text for each of these points 
> in this email thread rather than through a revised I-D, let us know.
I think a revised I-D is the better way to go.
>
> Thanks again,
>
> Peter
>

v2.23.0 | Report a Bug | By Email