IETF Logo Mail Archive

Re: [Ntp] BCP 195

Marcus Dansarie <marcus@dansarie.se> Tue, 28 August 2018 20:14 UTC

Return-Path: <marcus.dansarie.nilsson@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BED16130DDE for <ntp@ietfa.amsl.com>; Tue, 28 Aug 2018 13:14:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GbDEBlffAhZe for <ntp@ietfa.amsl.com>; Tue, 28 Aug 2018 13:14:39 -0700 (PDT)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C55B128CB7 for <ntp@ietf.org>; Tue, 28 Aug 2018 13:14:38 -0700 (PDT)
Received: by mail-lj1-x22a.google.com with SMTP id u83-v6so2469334lje.12 for <ntp@ietf.org>; Tue, 28 Aug 2018 13:14:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:subject:to:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to; bh=DXDw9K0Xtc7jMTjMzeh7/emcJeuP2dwWdXVrk16VyEQ=; b=JNbJecWkOLtMtstErsxosp3T2eJGouzlc5HSg3+6sHGbQQYLpqJxAWQRIqq47WPHhA l6ptyNB+olgpby54qJfwnzCjRpm9g4UyONkUJQE3RN+pewL4afARwD9zg3h8XTYfVlLX Qb+Cx7Ej/REXHqlbyBr6Vzx5kh5v1cMt2LWwBT3IkQLOAdVgaE65rFto30v+PahbiV11 0L7TuEEOYR7H5ZD2t60WkjNEmnBsz1Zf7U2hqQTJ6HD8uJy91QS5zPvsboE5D6YqrNUm 7t2b+mwQmrsGaLHVQYDRT7s5d2j+s2Mn81RV1zjsDlIpx/GrSgbAGp1IHm9ykyIrXtus xMaQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:subject:to:references:from:openpgp :autocrypt:message-id:date:user-agent:mime-version:in-reply-to; bh=DXDw9K0Xtc7jMTjMzeh7/emcJeuP2dwWdXVrk16VyEQ=; b=Ysrs/7079CLw0hTsIYFyYFLhtbD2kdTVkxAuQ8B3fjb74isDVtImITfiGT8ZGobp3l Rm9/glibgestYwDSs0SCE9x1q0XhOtvrexV8UzrA56FDPWSKnAPe+qeZpwXScvv00kjS stvPE5w59SUoIMZjdmGRW+GlqjooU3tEYTKWz15Q9VRSLfQLfcgK+Nu7clb093NshFkJ 2UCT7f7E9V6gwnFcytil6hLo7vYS+U65VoUpBp+KqITeNbepLuN8MS6iFSF28kCXXXa3 VnNUGVzEdTMXBPQIlpN+0A9X+CmJvrWT2BWcgKWoInqQ2d57ycqdFJMDt31WkPtIe1Go 1bYQ==
X-Gm-Message-State: APzg51DElqREiJ64m/1SWcLPAKorLi9duuR3ufXwK4MCHfZfvwlKWuqo kVz6uRLxyDldW5Du06+oSend2GRYIKY=
X-Google-Smtp-Source: ANB0VdbM4n/gCiSKWWeDg/dGlBx6TS/EJDTdsg2d03w23ajvFQQJshjKzpnH2buq9dN5d9PD1mKx2g==
X-Received: by 2002:a2e:7406:: with SMTP id p6-v6mr2360228ljc.5.1535487276433; Tue, 28 Aug 2018 13:14:36 -0700 (PDT)
Received: from [10.0.0.126] ([185.40.184.26]) by smtp.gmail.com with ESMTPSA id h9-v6sm368427lfc.47.2018.08.28.13.14.35 for <ntp@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 28 Aug 2018 13:14:35 -0700 (PDT)
Sender: Marcus Dansarie <marcus.dansarie.nilsson@gmail.com>
To: ntp@ietf.org
References: <CAJm83bBsmKB14-dXGFXRMHXMOtwfogqDe8Vz54dJKOAL1N24NA@mail.gmail.com> <CAJm83bAS2_m=wLsCw1kss9+Dck7fXtZZE15wAhy_88D2w-HxGA@mail.gmail.com>
From: Marcus Dansarie <marcus@dansarie.se>
Openpgp: preference=signencrypt
Autocrypt: addr=marcus@dansarie.se; prefer-encrypt=mutual; keydata= xsFNBFawEn4BEAC8YukDy8f3eczlE8WAcuctrjsNltPCLZDzcj3vBmiayXlXuPULOopqeuw4 +oaZqj4KqvdFBA1mzvwPll7IHePuwAoJYJr48IbIXc9MRjtLoFtd0KnhiVPUS8F2cmfzSJ8E FEv92sz6UT8/tlLEu6sNqr6/caYUivspuW5wf4f6nkSE+6rao9Nx9X03r289IPNBSZv+Y/Ym jWHDPpbT8WLUJZ+A8RsW/1oza609oAzqTkclmnRzip8wZZWNg3Q55P7onBmTIOrEz13My9r5 DWCMHyxXgFL1RJ9YW0t4yRkRm+HvOn3Vesk3m8CCGA6esHV0IPZmBOxJr3l+UQYuDiTgFufr WMpu5MvlyKGHS4fNd505DyyJY2G6eQLLrOq3nZy4qoZSL42TMxzYglexg+H6P/YsIIShk5Ch h/hNphXjrElDWhbGT5JiRWIivgSj/gq5QVBbDLR3b25n9PA0byGemfcEHLkii6EKyH7GW6v9 sgmvCmPfEfppYcOP2g9Jdt8RPitx0UBjoCzWAn0Py0NvlFDyz0FQhWDPig3yo1CG5ljb686v VBwcHJthczUV0rIyVzfmnikIb9ZjydHSX3fFwLz1IcIIX+INS58qA0SDqOoyP2WTYGZCDPVw GMMh+wMtAL2MICTr6vybFWB58m4PsI1j8Ri+AQiEkxyJauI2WQARAQABzSRNYXJjdXMgRGFu c2FyaWUgPG1hcmN1c0BkYW5zYXJpZS5zZT7CwYUEEwEIAC8CGwMCHgECF4ACGQEJCwkNCAwH CwoEBhUKCQgLAgUWAwIBAAUCWkqmHAUJBXvHHgAKCRAvY+f+raTwY6zwD/sEuXIeNbM8hhBr E5LMZFFhpVKzbToKlPifWO9SbChgDkSYx4SqrLqwD1oA6DkDK5NHO/Jj++QCN68jaOCIsT8v n++1mxHRWxEzC65I/WTLAxeLBswm9qfdpObC9ZXNSdyN+AXqzzTJR/GpUawDVe6Cc0RlYaFT 4crQHFNKYJ6lh7/xiDzWghsSKL2DuZzGdcxkMhMYFcHo26OK91OlykdfpwRT4Oe59QhBuzp+ +d76B5lCYD0QBcDRlj1pexgOcSYHPvwsdBsDL7CxHpmeEQe9RmGsGEwV+PEgXGzJr8YpSXVz 5dCR8bRAjmJZFnfiB98L1aO7lz/1Mp+OgS4vkNLLzbB4absm+Mw/s5mwDsVu3982ywJX5qoj yYySvN7YOEloUQ90aNwqMZ7s2J0rEdUvHtHLXUv5ZHwhYWt9XENiVyPyrAT58VDtHorQzBqg mj0jgaQPOBrGw6Ow1RyL046e1mYiwZYHbHoECejDCuUVQZsb8NJnKxf39YIeM02vSD3+oSfG wcEomD569XdUYqq/Y2dR7s34eteyFEQtUTZ/qRMU5x/Fw3M5zMwWEPVK7uRXySxp+jxXg3YY wNjcWC0h+YEpdhZOoWyfdaP4ZXWQSZu3wj0USsX0Ld2t7lHBkr7xm2TDU9wtH7dQwBcmIGUO T+3GvA/bGbIj1hAZNUV3q87BTQRWsBLLARAAyxyKDIPLq3FD9xQTw/5L3Mw81uxNKpreLKPR JESzDGYmytSi77I639jhTEZf4ktz/OMjX5+tYTfcI2a5xgy2tlKvGBAOn5anwCTtQ1CUG1Ei N1w+qYAQXOAb04/sh/swlkx5ZV3jvJshhQqiG5N0WDAlIXzR/4MYsuMhyHJVlu/JlZJAogDF 9q+ZmvUI0RVhfKsvvnastUH4qdCAloWocU+npw79jbRWIX1CwtG2Wt5/VWvG10+4guEQoyaZ z5lGwOEnRXwyLmrylZxhavP4mJVHIDVQsCGDoLbKmPVwU2dDI3bZem1dvPrztuplDFqvnHIA BXgPqL/yrWQ2BKxsOr5eRa4aNL2Sa8sYz2QYBE2EwU2C4lKBJ+pkTE8AmEJniFVuhMoWhFHX TjzauU7KPRVrQZuakap+2M2h0DiaOkGLnak3KZQX6zp5OTXcv0M44nx3T7ZB3p7i5N41cmE1 bqDaXtvl239tscyVruGCpEpS1OpBFHYkKk/e8Xiwdaddh0RwlIAJqsFzFt93BkGcX03C/saI 1MQSDs77yrCWPXotMHyg1aM7AAeKqDTFCUvwlPPauRfSBQhbUfL0DpvpSKRWJFuakdeDSzvf rhe3GOKaQoPwNWcLk0kOLBnO2obaJbuTEmd8D54AKUoSH6eJmjk2mNY1R+GNRczkM1Ue1yEA EQEAAcLBZQQYAQgADwIbDAUCWH7TMwUJA5rb6AAKCRAvY+f+raTwY9jcD/49jEB5A1YjXzIf NXhJjFH/7jpL6lk8xfK8dDD6e1OsOEqu6l7Ito+7HrDgn7RVurrWXTehCQ95R/uUeXAErHIV APWt32lm9umB+lDB8KXL6sh3WbavQdzk4UE/hpOKPDX+assuu7GI3ZXY0UzhsRIz1gw6LoZV UqvYIP8S2y+bfDSWkqjwU5ExAi5cuGH8k/LUIbpdb1ALggiakPi+hXRtfGikiw3UY7LtCv5M jkeWL43Prj0w0kdWyWup+/KunI3DsjcvSVvr1nWpuVwQm8WAFfOf85+qL8ACB+2aknGuHot9 48UcJvSaTbYMFk0HPUVDfDPpUlBmVMZft1Akxa2EGK877uM6+gC9roB7BF8b/CyEx3QnpvDK 53iCns1qaLjL3P8sRJF+K7bHJm0k58BpDH5Yg1Ia8h4ihPEsU0FQznREdR28xsFHzC7NfdDh YTCRNFee4AVB3MDmfdBOiPprAhusSa/h2Q1w3GjBQtI30Pr2ZaVl9TVvFE/uIQtheW8MQgRg SOqwV6JVg8Cu/Tt+88C2ngLGAp2ty6rZ6xUcKr1gup/OkX8oMIwDmFFKrnz9GBEBh6FHBz27 wHANojHN6KJAPRpIY1SClBxIn/vkGdhlL9cgQgieMP3LixbQBdBhTJWHjiWh+HZzuFuLkh+w praJEbvsmPPMSPfnjsMrmsLBZQQYAQgADwIbDAUCWkqmOAUJBXvG7QAKCRAvY+f+raTwY1BF D/0e1Vr993CDFGjTJFO24O14xp6JY5L9b80LNqOvBeLnIgF+HssKxP8Vh0CWCMO7EAA1dAIq 8iBzWLlqTQ4xnMuiIXA/y5HP7noVIWNxUBu8tnHZU/1mlN5ZtCE2rLJ8VjN2Wz4zyi0xnKjA LkLflmK751YDZvctgRmx3ous1k8LpZwKrzL8NYeLmG5uAENktz/FI2RLIjijfogdaSvZKBOM e6Gqtb9WdzoMP9kKj6uEqwWUoZB19Jy6rTxB0jjoAwkXvHjTWaoqDlSPyldsDsCXF4FeYOpq 53N59yugLl3xN0UUQscAczYdUgONeTL5SY+2ILtwTRgWPO2SSOC88PPHQMK2XhZqCHiVXMU7 BYbXGVXqV62/1gpWTw+5IAiIo4LqlWY7oQiuc+BL/z0p0VapBoexa7rTa3T1ytqhpeQzqDLt kEVlYv+LQ6qB3cRtCNmNAi3nwmzKnElumimz0f9fsbhNMMAC6DQnksB74rakgyNLZSaCCqt9 lb2tPHYF+NPGqFxSW8r62yrRUNx2phvFO2j/B1f0NMm7h7PNqbkNv0b9nQPf2MSYMTavN2EZ 4/vfhAfOf07Z55ahpA+zfAfeQvrEPY2JutdET4jpa9xtSuoeS3LbYs7Sy2OUpbmIWM/pCo9O UZsMxbWgn1x1A/LEWElPx4HioOlW6SnYvKOiOw==
Message-ID: <e4861a64-c6e4-be78-f6fc-2281f035360c@dansarie.se>
Date: Tue, 28 Aug 2018 22:14:31 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CAJm83bAS2_m=wLsCw1kss9+Dck7fXtZZE15wAhy_88D2w-HxGA@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="YIcIcBdx5AU0LfU7RZ60EKj74Xj42HbLB"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/OiUeoI8dIit8vT_qIbJzwkjWe3w>
Subject: Re: [Ntp] BCP 195
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Aug 2018 20:14:41 -0000

Good observation on BCP 195! I'm in favor of this.

The second paragraph is particularly diplomatic in view of the slightly
differing views on whether we should require TLS 1.2 or 1.3. My only
objection is that "when possible" is redundant in view of the RFC 2119
definition of SHOULD.

Kind regards,
Marcus Dansarie

On 2018-08-28 20:06, Daniel Franke wrote:
> How's this?
> 
>     <section title="TLS profile for Network Time Security" anchor="tls-profile">
>       <t>
>         Network Time Security makes use of TLS for NTS key establishment.
>       </t>
>       <t>
>         Since securing time protocols is (as of 2018) a novel
>         application of TLS, no backward-compatibility concerns exist
>         to justify using obsolete, insecure, or otherwise broken TLS
>         features or versions. Implementations MUST conform with <xref
>         target="RFC7525"/> or with a later revision of BCP
>         195. Furthermore:
>       </t>
>       <t>
>         Implementations MUST NOT negotiate TLS versions earlier than
>         1.2, SHOULD negotiate TLS 1.3 <xref target="RFC8446"/> or
>         later when possible, and MAY refuse to negotiate any TLS
>         version which has been superseded by a later supported
>         version.
>       </t>
>       <t>
>         Use of the <xref target="RFC7301">Application-Layer Protocol
>         Negotiation Extension</xref> is integral to NTS and support for
>         it is REQUIRED for interoperability.
>       </t>
>     </section>
> On Tue, Aug 28, 2018 at 1:46 PM Daniel Franke <dfoxfranke@gmail.com> wrote:
>>
>> I just learned (by reading draft-moriarty-tls-oldversions-diediedie)
>> that BCP 195 exists, which gives best current practices for secure use
>> of TLS. I'm going to rewrite the "TLS Profile for Network Time
>> Security" as primarily a mandate to comply with that BCP. It'll go on
>> to turn a couple of its SHOULDs into MUSTs where the BCP makes more
>> allowances for legacy compatibility than we need to.
> 
> _______________________________________________
> ntp mailing list
> ntp@ietf.org
> https://www.ietf.org/mailman/listinfo/ntp
>

v2.23.0 | Report a Bug | By Email