Re: [Ntp] BCP 195
Daniel Franke <dfoxfranke@gmail.com> Tue, 28 August 2018 18:06 UTC
Return-Path: <dfoxfranke@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 846C0130E07 for <ntp@ietfa.amsl.com>; Tue, 28 Aug 2018 11:06:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xFBWNkCw4YDa for <ntp@ietfa.amsl.com>; Tue, 28 Aug 2018 11:06:19 -0700 (PDT)
Received: from mail-qt0-x22d.google.com (mail-qt0-x22d.google.com [IPv6:2607:f8b0:400d:c0d::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33441128CB7 for <ntp@ietf.org>; Tue, 28 Aug 2018 11:06:19 -0700 (PDT)
Received: by mail-qt0-x22d.google.com with SMTP id x7-v6so2768883qtk.5 for <ntp@ietf.org>; Tue, 28 Aug 2018 11:06:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=yCmoWz3bw+VvE3cETZ/PdymxBoE2v+O/0J4RU/IdJmc=; b=n/1Vh3q8sdiYHzuidtq6LuNQL9QdEJLYkGi8pWiIJgvJZwE2P/oIuJ6qOe15/ngrqh 2EHNn69aygnB7OHjaY8tQvTh5Wb8LuM535tF04VmPiSrMwNWXSW9CX2EEj2mpEcMc2NH HfVpdscGlC5IRT0sEVtuv7LMJsQKknJpRh9qDXbPRnILdoAx1aZ7SZ+mZMNTN0anChnO +/gTuNxAOYPR6jOs7Ih+eIS5XJ1qq4/AX0JbnczaREACG7czAKGSmO3S9p5vrC/ZDyTQ 9nXYNLW3ZSsZ8C4sJ7aymShAHNYXr+cenMAHaFPRftTLO1OL9YBhQdKtERaSkG5lP8/a aiog==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=yCmoWz3bw+VvE3cETZ/PdymxBoE2v+O/0J4RU/IdJmc=; b=XH/nWOwqQXNujDHWzWbM92X0BHjq0fpbDgquNZ7M5Tpre11QIP/X7Ukfy445aGh87Q 2H+GlYks2YvRcYQ8qtxvP+j76OeF8gawOS6QFvJKzUchduAzat4Yi2huviP6Q+Svn32b 6q+Um2eicPe+U4cyqeOYmus+vvntXDnst1yZi3yZs417UQQKMs16gQW4Qb5/trlqlo8O scUuMe3qLWl61vDn2+jbB4j6NhC59I7qIObdmhCycxiSjJHceYSwCGobHF0cR6746qKs aE1OND/Q94hJhxrxFy2IbvfZTujDVfIgM972mqH7+Ds6KvR95LC5HgZrMPyybp76tx4c Zl0g==
X-Gm-Message-State: APzg51BV4lCo4NnEnKY+yaicyTw6gjcBUsDrQX2NHwidMYdGq2I5Urk+ AoLIVsGp2YeD5VyqQsfpMbEeUYPvjsrkGMAGYEati6F3
X-Google-Smtp-Source: ANB0VdZ+9YsybMxDAB53E2XWgJS50zU0bjSJ0vCZu9u7+WA1hNCktLhkLeq+lJz4RXnBdkLjRaZte3GPUxHJxmsCqak=
X-Received: by 2002:ac8:2e87:: with SMTP id h7-v6mr2921821qta.135.1535479576805; Tue, 28 Aug 2018 11:06:16 -0700 (PDT)
MIME-Version: 1.0
References: <CAJm83bBsmKB14-dXGFXRMHXMOtwfogqDe8Vz54dJKOAL1N24NA@mail.gmail.com>
In-Reply-To: <CAJm83bBsmKB14-dXGFXRMHXMOtwfogqDe8Vz54dJKOAL1N24NA@mail.gmail.com>
From: Daniel Franke <dfoxfranke@gmail.com>
Date: Tue, 28 Aug 2018 14:06:05 -0400
Message-ID: <CAJm83bAS2_m=wLsCw1kss9+Dck7fXtZZE15wAhy_88D2w-HxGA@mail.gmail.com>
To: ntp@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/PsdqpW3GqAxpan5Dp6UZZ0SdF34>
Subject: Re: [Ntp] BCP 195
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Aug 2018 18:06:20 -0000
How's this?
<section title="TLS profile for Network Time Security" anchor="tls-profile">
<t>
Network Time Security makes use of TLS for NTS key establishment.
</t>
<t>
Since securing time protocols is (as of 2018) a novel
application of TLS, no backward-compatibility concerns exist
to justify using obsolete, insecure, or otherwise broken TLS
features or versions. Implementations MUST conform with <xref
target="RFC7525"/> or with a later revision of BCP
195. Furthermore:
</t>
<t>
Implementations MUST NOT negotiate TLS versions earlier than
1.2, SHOULD negotiate TLS 1.3 <xref target="RFC8446"/> or
later when possible, and MAY refuse to negotiate any TLS
version which has been superseded by a later supported
version.
</t>
<t>
Use of the <xref target="RFC7301">Application-Layer Protocol
Negotiation Extension</xref> is integral to NTS and support for
it is REQUIRED for interoperability.
</t>
</section>
On Tue, Aug 28, 2018 at 1:46 PM Daniel Franke <dfoxfranke@gmail.com> wrote:
>
> I just learned (by reading draft-moriarty-tls-oldversions-diediedie)
> that BCP 195 exists, which gives best current practices for secure use
> of TLS. I'm going to rewrite the "TLS Profile for Network Time
> Security" as primarily a mandate to comply with that BCP. It'll go on
> to turn a couple of its SHOULDs into MUSTs where the BCP makes more
> allowances for legacy compatibility than we need to.
- [Ntp] BCP 195 Daniel Franke
- Re: [Ntp] BCP 195 Daniel Franke
- Re: [Ntp] BCP 195 dieter.sibold
- Re: [Ntp] BCP 195 Marcus Dansarie
- Re: [Ntp] BCP 195 kristof.teichel
- [Ntp] Antw: Re: BCP 195 Ulrich Windl
- Re: [Ntp] Antw: Re: BCP 195 kristof.teichel
- [Ntp] Antw: Re: Antw: Re: BCP 195 Ulrich Windl