[Ntp] Antw: Re: Antw: Re: BCP 195
"Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de> Wed, 29 August 2018 07:52 UTC
Return-Path: <Ulrich.Windl@rz.uni-regensburg.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F170130DCD for <ntp@ietfa.amsl.com>; Wed, 29 Aug 2018 00:52:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ORFDXcLw6VJ for <ntp@ietfa.amsl.com>; Wed, 29 Aug 2018 00:52:13 -0700 (PDT)
Received: from rrzmta1.uni-regensburg.de (rrzmta1.uni-regensburg.de [194.94.155.51]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB90F12008A for <ntp@ietf.org>; Wed, 29 Aug 2018 00:52:12 -0700 (PDT)
Received: from rrzmta1.uni-regensburg.de (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 844B967496 for <ntp@ietf.org>; Wed, 29 Aug 2018 09:52:10 +0200 (CEST)
Received: from gwsmtp1.uni-regensburg.de (gwsmtp1.uni-regensburg.de [132.199.5.51]) by rrzmta1.uni-regensburg.de (Postfix) with ESMTP id 4D69B674D4 for <ntp@ietf.org>; Wed, 29 Aug 2018 09:52:08 +0200 (CEST)
Received: from uni-regensburg-smtp1-MTA by gwsmtp1.uni-regensburg.de with Novell_GroupWise; Wed, 29 Aug 2018 09:52:08 +0200
Message-Id: <5B8650A6020000A10002D08E@gwsmtp1.uni-regensburg.de>
X-Mailer: Novell GroupWise Internet Agent 18.0.1
Date: Wed, 29 Aug 2018 09:52:06 +0200
From: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>
To: kristof.teichel@ptb.de
Cc: Daniel Franke <dfoxfranke@gmail.com>, "ntp@ietf.org" <ntp@ietf.org>
References: <CAJm83bBsmKB14-dXGFXRMHXMOtwfogqDe8Vz54dJKOAL1N24NA@mail.gmail.com> <CAJm83bAS2_m=wLsCw1kss9+Dck7fXtZZE15wAhy_88D2w-HxGA@mail.gmail.com> <5B863E1A020000A10002D071@gwsmtp1.uni-regensburg.de> <OF6F175C06.A8E60C22-ONC12582F8.0025E241-C12582F8.0028CBB2@ptb.de>
In-Reply-To: <OF6F175C06.A8E60C22-ONC12582F8.0025E241-C12582F8.0028CBB2@ptb.de>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/4l451iBKLmRQBTM2pzlt4jt6eEk>
Subject: [Ntp] Antw: Re: Antw: Re: BCP 195
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Aug 2018 07:52:17 -0000
>>> <kristof.teichel@ptb.de> schrieb am 29.08.2018 um 09:25 in Nachricht <OF6F175C06.A8E60C22-ONC12582F8.0025E241-C12582F8.0028CBB2@ptb.de>: > "ntp" <ntp‑bounces@ietf.org> schrieb am 29.08.2018 08:32:58: > >> Von: "Ulrich Windl" <Ulrich.Windl@rz.uni‑regensburg.de> >> An: "Daniel Franke" <dfoxfranke@gmail.com>, "ntp@ietf.org" > <ntp@ietf.org> >> Datum: 29.08.2018 08:33 >> Betreff: [Ntp] Antw: Re: BCP 195 >> Gesendet von: "ntp" <ntp‑bounces@ietf.org> >> >> >>> Daniel Franke <dfoxfranke@gmail.com> schrieb am 28.08.2018 um 20:06 > in >> Nachricht >> <CAJm83bAS2_m=wLsCw1kss9+Dck7fXtZZE15wAhy_88D2w‑HxGA@mail.gmail.com>: >> > How's this? >> > >> > <section title="TLS profile for Network Time Security" >> > anchor="tls?profile"> >> > <t> >> > Network Time Security makes use of TLS for NTS key > establishment. >> > </t> >> > <t> >> > Since securing time protocols is (as of 2018) a novel >> > application of TLS, no backward?compatibility concerns exist >> > to justify using obsolete, insecure, or otherwise broken TLS >> > features or versions. Implementations MUST conform with <xref >> > target="RFC7525"/> or with a later revision of BCP >> > 195. Furthermore: >> > </t> >> > <t> >> > Implementations MUST NOT negotiate TLS versions earlier than >> > 1.2, SHOULD negotiate TLS 1.3 <xref target="RFC8446"/> or >> > later when possible, and MAY refuse to negotiate any TLS >> > version which has been superseded by a later supported >> > version. >> >> Isn't that too much words? "MUST negotiate TLS 1.3 or later" should say > all of >> the above. Specifically the "MAY refuse" is redundant, because the > protocol is >> "negotiated" already. >> Making specificatiions about future protocols is not really helpful > IMHO. > > I believe it is the right amount of words, specifically for the question > of TLS 1.2 vs 1.3. (Actually I had read Peter Gutmann's parody of an RFC (Grand Unified PKI Protocol (GUPP), secion 3.1.1.1.1.1 "GUPP Signature" in particular) yesterday, and that made me aware of the fact that too many words make the meaning less clear that fwer words in many cases) > The given suggestion completely excludes TLS 1.2, which I think is a bit > premature. It's a valid question whether one RFC should judge over the security of another protocol, other than recommending to prefer the most secure one (whatever that means). > On the other hand, the "MAY refuse" clause seems to me like it's not so > much about future protocols, but about the option to refuse 1.2 in case > 1.3 is supported (which I think is a great way to handle these versions). > > > As an aside: does anyone here know the exact way in which "negotiate" is > supposed to be used? For me "negotiate" means both parties are seeking a common protocol. > What I mean is: does it describe > 1) what one given device offers, or Usually "offering" is a part of negotiation protocols. > 2) what two (or more) devices agree on after some negotiation phase? "negotiate" is the act of "negotiating" (work in progress), while "negotiation" is the (successful) result of it. It's rather clear in my view of things. > > I bring this up because in Ulrich's suggestion, the words "MUST > negotiate..." rubbed me the wrong way. > I read them as excluding the option for negotiations to fail (which should > definitely be an option). If a negotiation fails, there is no common protocol to use, so no communication (unless stated otherwise). > Also, neither participant (alone) can really ensure this result, which > makes it seem like one should not try to mandate it. One party can ensure the result only in the way "either one of my offerings, or nothing at all). Naturally, the wider the offering, the most likely a negotiation succeeds, and the overall security suffers (DES & RC4 anyone?) > > In BCP 195, I see "negotiate" only used in language that supports > interpretation 2) and is consistent with only mandating things that one > single participant can actually influence: > ‑ "MUST NOT negotiate x" (either participant can ensure this by not > offering/supporting x) > ‑ "SHOULD NOT negotiate x" (as above) > ‑ "MUST support x" (local to each participant) > ‑ "MUST prefer to negotiate x" (again, local to each participant) > Never is it "MUST negotiate x" or even "SHOULD negotiate x". If both parties have the option to select between multiple possibilities, it's part of the specific protocol's negotiation mechanism if such a "prefer" mechanism exists, and how it works. Again, I'd try to avoid specifying too much how another protocol should work (preferences for TLS should be in the TLS specification, nowhere else IMHO). > > This makes me wonder if, in Daniel's suggestion, the words "SHOULD > negotiate TLS 1.3" should be changed to "SHOULD prefer to negotiate TLS > 1.3". I'd be generic, not describing a specific protocol version, but the security requirements (integrity, confidentiality, non-repudiation, etc.) of it instead. > I don't believe it is as important in a "SHOULD" clause. > Still: mandates (even weak ones) should probably only be made on things > that each participant on its own can actually influence. Do not forget that any party could implement TLS 1.3 in such a bad way that it's less secure than TLS 1.2... > What do you think? Regards, Ulrich > >> Regards, >> Ulrich >> >> > </t> >> > <t> >> > Use of the <xref target="RFC7301">Application?Layer Protocol >> > Negotiation Extension</xref> is integral to NTS and support > for >> > it is REQUIRED for interoperability. >> > </t> >> > </section> >> > On Tue, Aug 28, 2018 at 1:46 PM Daniel Franke <dfoxfranke@gmail.com> > wrote: >> >> >> >> I just learned (by reading > draft?moriarty?tls?oldversions?diediedie) >> >> that BCP 195 exists, which gives best current practices for secure > use >> >> of TLS. I'm going to rewrite the "TLS Profile for Network Time >> >> Security" as primarily a mandate to comply with that BCP. It'll go on >> >> to turn a couple of its SHOULDs into MUSTs where the BCP makes more >> >> allowances for legacy compatibility than we need to. >> > >> > _______________________________________________ >> > ntp mailing list >> > ntp@ietf.org >> > https://www.ietf.org/mailman/listinfo/ntp >> >> >> >> _______________________________________________ >> ntp mailing list >> ntp@ietf.org >> https://www.ietf.org/mailman/listinfo/ntp
- [Ntp] BCP 195 Daniel Franke
- Re: [Ntp] BCP 195 Daniel Franke
- Re: [Ntp] BCP 195 dieter.sibold
- Re: [Ntp] BCP 195 Marcus Dansarie
- Re: [Ntp] BCP 195 kristof.teichel
- [Ntp] Antw: Re: BCP 195 Ulrich Windl
- Re: [Ntp] Antw: Re: BCP 195 kristof.teichel
- [Ntp] Antw: Re: Antw: Re: BCP 195 Ulrich Windl