Re: [Ntp] BCP 195
dieter.sibold@ptb.de Tue, 28 August 2018 18:30 UTC
Return-Path: <dieter.sibold@ptb.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B50D1286E3 for <ntp@ietfa.amsl.com>; Tue, 28 Aug 2018 11:30:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ODZx_QpiiqGO for <ntp@ietfa.amsl.com>; Tue, 28 Aug 2018 11:30:16 -0700 (PDT)
Received: from mx1.bs.ptb.de (mx1.bs.ptb.de [192.53.103.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 313DA127148 for <ntp@ietf.org>; Tue, 28 Aug 2018 11:30:16 -0700 (PDT)
Received: from smtp-hub.bs.ptb.de (smtpint01.bs.ptb.de [141.25.87.32]) by mx1.bs.ptb.de with ESMTP id w7SISD0n029774-w7SISD0p029774 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 28 Aug 2018 20:28:13 +0200
Received: from lotus.bs.ptb.de (lotus.bs.ptb.de [141.25.85.200]) by smtp-hub.bs.ptb.de (Postfix) with ESMTPS id CF34C6C2652; Tue, 28 Aug 2018 20:28:12 +0200 (CEST)
MIME-Version: 1.0
Sensitivity:
Importance: Normal
X-Priority: 3 (Normal)
In-Reply-To: <CAJm83bAS2_m=wLsCw1kss9+Dck7fXtZZE15wAhy_88D2w-HxGA@mail.gmail.com>
References: <CAJm83bAS2_m=wLsCw1kss9+Dck7fXtZZE15wAhy_88D2w-HxGA@mail.gmail.com>, <CAJm83bBsmKB14-dXGFXRMHXMOtwfogqDe8Vz54dJKOAL1N24NA@mail.gmail.com>
From: dieter.sibold@ptb.de
To: Daniel Franke <dfoxfranke@gmail.com>
Cc: ntp@ietf.org
Message-ID: <OF63BFCA67.B1915F8C-ONC12582F7.00657514-C12582F7.00657518@ptb.de>
Date: Tue, 28 Aug 2018 20:28:11 +0200
Content-Type: multipart/alternative; boundary="=_alternative 00657515C12582F7_="
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/_9IC5RTdmOTDAv1eM13fSfQjtL8>
Subject: Re: [Ntp] BCP 195
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Aug 2018 18:30:19 -0000
This is fine with me. -----"ntp" <ntp-bounces@ietf.org> wrote: ----- >To: ntp@ietf.org >From: "Daniel Franke" >Sent by: "ntp" >Date: 08/28/2018 20:06 >Subject: Re: [Ntp] BCP 195 > >How's this? > > <section title="TLS profile for Network Time Security" >anchor="tls-profile"> > <t> > Network Time Security makes use of TLS for NTS key >establishment. > </t> > <t> > Since securing time protocols is (as of 2018) a novel > application of TLS, no backward-compatibility concerns exist > to justify using obsolete, insecure, or otherwise broken TLS > features or versions. Implementations MUST conform with <xref > target="RFC7525"/> or with a later revision of BCP > 195. Furthermore: > </t> > <t> > Implementations MUST NOT negotiate TLS versions earlier than > 1.2, SHOULD negotiate TLS 1.3 <xref target="RFC8446"/> or > later when possible, and MAY refuse to negotiate any TLS > version which has been superseded by a later supported > version. > </t> > <t> > Use of the <xref target="RFC7301">Application-Layer Protocol > Negotiation Extension</xref> is integral to NTS and support >for > it is REQUIRED for interoperability. > </t> > </section> >On Tue, Aug 28, 2018 at 1:46 PM Daniel Franke <dfoxfranke@gmail.com> >wrote: >> >> I just learned (by reading >draft-moriarty-tls-oldversions-diediedie) >> that BCP 195 exists, which gives best current practices for secure >use >> of TLS. I'm going to rewrite the "TLS Profile for Network Time >> Security" as primarily a mandate to comply with that BCP. It'll go >on >> to turn a couple of its SHOULDs into MUSTs where the BCP makes more >> allowances for legacy compatibility than we need to. > >_______________________________________________ >ntp mailing list >ntp@ietf.org >https://www.ietf.org/mailman/listinfo/ntp >
- [Ntp] BCP 195 Daniel Franke
- Re: [Ntp] BCP 195 Daniel Franke
- Re: [Ntp] BCP 195 dieter.sibold
- Re: [Ntp] BCP 195 Marcus Dansarie
- Re: [Ntp] BCP 195 kristof.teichel
- [Ntp] Antw: Re: BCP 195 Ulrich Windl
- Re: [Ntp] Antw: Re: BCP 195 kristof.teichel
- [Ntp] Antw: Re: Antw: Re: BCP 195 Ulrich Windl