[Ntp] Antw: Re: BCP 195
"Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de> Wed, 29 August 2018 06:33 UTC
Return-Path: <Ulrich.Windl@rz.uni-regensburg.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E1F4130E32 for <ntp@ietfa.amsl.com>; Tue, 28 Aug 2018 23:33:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u5PG9E9m8ynD for <ntp@ietfa.amsl.com>; Tue, 28 Aug 2018 23:33:04 -0700 (PDT)
Received: from rrzmta1.uni-regensburg.de (rrzmta1.uni-regensburg.de [194.94.155.51]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0EA2128CF3 for <ntp@ietf.org>; Tue, 28 Aug 2018 23:33:03 -0700 (PDT)
Received: from rrzmta1.uni-regensburg.de (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id CF2135E615 for <ntp@ietf.org>; Wed, 29 Aug 2018 08:33:01 +0200 (CEST)
Received: from gwsmtp1.uni-regensburg.de (gwsmtp1.uni-regensburg.de [132.199.5.51]) by rrzmta1.uni-regensburg.de (Postfix) with ESMTP id B61555E568 for <ntp@ietf.org>; Wed, 29 Aug 2018 08:33:01 +0200 (CEST)
Received: from uni-regensburg-smtp1-MTA by gwsmtp1.uni-regensburg.de with Novell_GroupWise; Wed, 29 Aug 2018 08:33:01 +0200
Message-Id: <5B863E1A020000A10002D071@gwsmtp1.uni-regensburg.de>
X-Mailer: Novell GroupWise Internet Agent 18.0.1
Date: Wed, 29 Aug 2018 08:32:58 +0200
From: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>
To: Daniel Franke <dfoxfranke@gmail.com>, "ntp@ietf.org" <ntp@ietf.org>
References: <CAJm83bBsmKB14-dXGFXRMHXMOtwfogqDe8Vz54dJKOAL1N24NA@mail.gmail.com> <CAJm83bAS2_m=wLsCw1kss9+Dck7fXtZZE15wAhy_88D2w-HxGA@mail.gmail.com>
In-Reply-To: <CAJm83bAS2_m=wLsCw1kss9+Dck7fXtZZE15wAhy_88D2w-HxGA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/6wFSLULPL8ysLRnbHcGkr-nUxCA>
Subject: [Ntp] Antw: Re: BCP 195
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Aug 2018 06:33:07 -0000
>>> Daniel Franke <dfoxfranke@gmail.com> schrieb am 28.08.2018 um 20:06 in Nachricht <CAJm83bAS2_m=wLsCw1kss9+Dck7fXtZZE15wAhy_88D2w-HxGA@mail.gmail.com>: > How's this? > > <section title="TLS profile for Network Time Security" > anchor="tls‑profile"> > <t> > Network Time Security makes use of TLS for NTS key establishment. > </t> > <t> > Since securing time protocols is (as of 2018) a novel > application of TLS, no backward‑compatibility concerns exist > to justify using obsolete, insecure, or otherwise broken TLS > features or versions. Implementations MUST conform with <xref > target="RFC7525"/> or with a later revision of BCP > 195. Furthermore: > </t> > <t> > Implementations MUST NOT negotiate TLS versions earlier than > 1.2, SHOULD negotiate TLS 1.3 <xref target="RFC8446"/> or > later when possible, and MAY refuse to negotiate any TLS > version which has been superseded by a later supported > version. Isn't that too much words? "MUST negotiate TLS 1.3 or later" should say all of the above. Specifically the "MAY refuse" is redundant, because the protocol is "negotiated" already. Making specificatiions about future protocols is not really helpful IMHO. Regards, Ulrich > </t> > <t> > Use of the <xref target="RFC7301">Application‑Layer Protocol > Negotiation Extension</xref> is integral to NTS and support for > it is REQUIRED for interoperability. > </t> > </section> > On Tue, Aug 28, 2018 at 1:46 PM Daniel Franke <dfoxfranke@gmail.com> wrote: >> >> I just learned (by reading draft‑moriarty‑tls‑oldversions‑diediedie) >> that BCP 195 exists, which gives best current practices for secure use >> of TLS. I'm going to rewrite the "TLS Profile for Network Time >> Security" as primarily a mandate to comply with that BCP. It'll go on >> to turn a couple of its SHOULDs into MUSTs where the BCP makes more >> allowances for legacy compatibility than we need to. > > _______________________________________________ > ntp mailing list > ntp@ietf.org > https://www.ietf.org/mailman/listinfo/ntp
- [Ntp] BCP 195 Daniel Franke
- Re: [Ntp] BCP 195 Daniel Franke
- Re: [Ntp] BCP 195 dieter.sibold
- Re: [Ntp] BCP 195 Marcus Dansarie
- Re: [Ntp] BCP 195 kristof.teichel
- [Ntp] Antw: Re: BCP 195 Ulrich Windl
- Re: [Ntp] Antw: Re: BCP 195 kristof.teichel
- [Ntp] Antw: Re: Antw: Re: BCP 195 Ulrich Windl