IETF Logo Mail Archive

Re: [mile] Artart last call review of draft-ietf-mile-rolie-10

Benjamin Kaduk <kaduk@mit.edu> Mon, 09 October 2017 23:57 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 250E31270AB; Mon, 9 Oct 2017 16:57:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.302
X-Spam-Level:
X-Spam-Status: No, score=-2.302 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uTrp0yXobhIK; Mon, 9 Oct 2017 16:57:24 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CF06120720; Mon, 9 Oct 2017 16:57:23 -0700 (PDT)
X-AuditID: 1209190e-823ff7000000797d-18-59dc0ce29c97
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id E8.4E.31101.2EC0CD95; Mon, 9 Oct 2017 19:57:22 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id v99NvLDx011267; Mon, 9 Oct 2017 19:57:21 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v99NvHCE015911 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 9 Oct 2017 19:57:19 -0400
Date: Mon, 09 Oct 2017 18:57:17 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: art@ietf.org, mile@ietf.org, ietf@ietf.org, draft-ietf-mile-rolie.all@ietf.org
Message-ID: <20171009235717.GN96685@kduck.kaduk.org>
References: <150752570618.18384.5615358468704377459@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <150752570618.18384.5615358468704377459@ietfa.amsl.com>
User-Agent: Mutt/1.8.3 (2017-05-23)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrOIsWRmVeSWpSXmKPExsUixCmqrPuI506kwa7jKhYr7npY/L/zl93i 2cb5LBbXzvxjtNjzv4/JgdVj56y77B5LlvxkCmCK4rJJSc3JLEst0rdL4Mo4s/Aic8EBzoo9 878wNjCeY+9i5OSQEDCR+H/sIROILSSwmEli++rYLkYuIHsDo8TlDdcZIZwrTBIPF11jBqli EVCR2LrkJ1g3G5Dd0H0ZLC4ioCux6OwDsDizQLTEwp6JbCC2sICDxPYfTWA1vEDbjs04wNrF yAE01Fni/GFpiLCgxMmZT1ggWrUkbvx7yQRSwiwgLbH8HwdImFPAReL4zjZGEFtUQFli3r5V bBMYBWYh6Z6FpHsWQvcCRuZVjLIpuVW6uYmZOcWpybrFyYl5ealFusZ6uZkleqkppZsYweEr ybeDcVKD9yFGAQ5GJR7eBZNvRwqxJpYVV+YeYpTkYFIS5b3CfSdSiC8pP6UyI7E4I76oNCe1 +BCjBAezkgiv832gct6UxMqq1KJ8mJQ0B4uSOO+2oF2RQgLpiSWp2ampBalFMFkZDg4lCd7X IEMFi1LTUyvSMnNKENJMHJwgw3mAhm8BqeEtLkjMLc5Mh8ifYlSUEuc1AEkIgCQySvPgekHp RSJ7f80rRnGgV4R5+0GqeICpCa77FdBgJqDBjMU3QAaXJCKkpBoYt9+O+t2x0CnDzkaTb5fE yg0TVixieXXT/znLz/pSx9L0N5e3vbrywmDGOi7j41EMmrKbbHie1iaEvIud/iHixvwZWqyG axddeXSV+dSZr1/2iLkVtu3yX+oibKeQHnZ6bUHgrLt5Btk3c9Q+1c6bcFmP6V5ahhPXxrme 61nO7JD9Gj9h9uvHi5VYijMSDbWYi4oTARfoVwgKAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/mile/Ps7TgyCM_ErcOxpTon3RxmoF-ZA>
Subject: Re: [mile] Artart last call review of draft-ietf-mile-rolie-10
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Oct 2017 23:57:25 -0000

On Sun, Oct 08, 2017 at 10:08:26PM -0700, Martin Thomson wrote:
> 
> The requirements in Section 5.3 on TLS use are unnecessarily strict.  It's
> great to recommend the use of TLS 1.2, but given that the document has no real
> requirement on any particular version of TLS, the use of "MUST" here is not

I think that one could make the case that using TLS 1.2 (or higher) greatly
facilitates having a secure system, and so it could plausibly be required
by a consuming protocol.

> needed.  Similarly, the prohibition on the use of 0-RTT is groundless.  The

I am a little surprised to hear you say that this prohibition is "groundless".
Given that we require consumers of TLS 1.3 0-RTT data to explictly specify
an application profile for how it may be used, with the intent to induce
a careful analysis of the security considerations for sending early data
messages, it seems quite reasonable to me that a protocol author might
wish to defer such a painstaking analysis and take the easy choice of
prohibiting early data.

-Ben

> lengthy list of requirements around certificate validation only risk creating a
> conflict with advice in other RFCs.  Many, if not all, of these requirements

v2.23.0 | Report a Bug | By Email