Re: [secdir] secdir review of draft-ietf-uta-tls-bcp-08

Peter Saint-Andre - &yet <peter@andyet.net> Tue, 10 February 2015 14:19 UTC

Return-Path: <peter@andyet.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46FD51A026A for <secdir@ietfa.amsl.com>; Tue, 10 Feb 2015 06:19:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yurgEOAokVYR for <secdir@ietfa.amsl.com>; Tue, 10 Feb 2015 06:19:48 -0800 (PST)
Received: from mail-ie0-f176.google.com (mail-ie0-f176.google.com [209.85.223.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DB551A011D for <secdir@ietf.org>; Tue, 10 Feb 2015 06:19:48 -0800 (PST)
Received: by iecrd18 with SMTP id rd18so12807286iec.8 for <secdir@ietf.org>; Tue, 10 Feb 2015 06:19:47 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=HAy4t9poM0e1qFAXJHPMDWyrXc6J7hWycHY6lcsx8BI=; b=Y5iBDroSOWXfRsJX65qmA4+gz1yhuHH7QH2HyzOD3xa/+AVogbPT6W/WpAScO+jmOV AUMkfi0vH3WqhtjjR9OlqClRainAzMpVOu8MagzPp5jKNNn561J7uY9Jvp0dIovpEs7o 1yikn22QE5R2K87vFHxcFGObmUKnixebCfWMaWatKP+okmRixlCpzqXk0OVdwdAGXhCx Z+upecZf1WDK1FT8InASPxRPP4CrbrB6YKdOctw+mgDREjrZcFPq0qRWOKoeB/9hmXDL wS63kZdNmWh9dLBLXWU8z6smzGHTjmA4FgdCZjgvA2th+ndXnv2rf8AHD0Ebhyfo4V0c gYGg==
X-Gm-Message-State: ALoCoQksvra5cdG1AwSe1L510bbSQZs9ZZU7hTOQ4dd1znxZKEl0EwiV35SU6V0uNFHDEhoyB/fS
X-Received: by 10.50.124.133 with SMTP id mi5mr23686719igb.13.1423577987738; Tue, 10 Feb 2015 06:19:47 -0800 (PST)
Received: from aither.local (c-73-34-202-214.hsd1.co.comcast.net. [73.34.202.214]) by mx.google.com with ESMTPSA id c70sm8655757ioc.3.2015.02.10.06.19.46 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 10 Feb 2015 06:19:46 -0800 (PST)
Message-ID: <54DA1382.4060905@andyet.net>
Date: Tue, 10 Feb 2015 07:19:46 -0700
From: Peter Saint-Andre - &yet <peter@andyet.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: "Waltermire, David A." <david.waltermire@nist.gov>, "iesg@ietf.org" <iesg@ietf.org>, "'secdir@ietf.org'" <secdir@ietf.org>, "draft-ietf-uta-tls-bcp.all@tools.ietf.org" <draft-ietf-uta-tls-bcp.all@tools.ietf.org>
References: <DM2PR09MB02247B391BD2A86482C949E0F0240@DM2PR09MB0224.namprd09.prod.outlook.com>
In-Reply-To: <DM2PR09MB02247B391BD2A86482C949E0F0240@DM2PR09MB0224.namprd09.prod.outlook.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/Xos4Ugs2GF3_OM2Yzl8ByjgYye8>
X-Mailman-Approved-At: Tue, 10 Feb 2015 06:48:48 -0800
Subject: Re: [secdir] secdir review of draft-ietf-uta-tls-bcp-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Feb 2015 14:19:50 -0000

Hi Dave, thanks for the review.

On 2/9/15 6:55 PM, Waltermire, David A. wrote:
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
>
> Summary: This proposed BCP outlines a number of security issues related
> to use of various revisions of TLS and DTLS. It details a number of
> attacks against various versions of TLS, cipher suites, and modes of
> operation; and provides recommendations to avoid these attacks in a way
> that is applicable to the majority of use cases for these protocols.
>
> This document is generally well-written and clear in its content. I find
> this document to be ready with nits.
>
> My only nit is a minor ambiguity in the text in section 4.2.1. Two of
> the “SHOULD” statements seem to be in conflict (#2 and #3) by my read:
>
> #1 Clients SHOULD include TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 as the
>
>     first proposal to any server, unless they have prior knowledge that
>
>     the server cannot respond to a TLS 1.2 client_hello message
>
> #2 Servers SHOULD prefer this cipher suite whenever it is proposed, even
>
>     if it is not the first proposal.
>
> #3 Clients are of course free to offer stronger cipher suites, e.g.,
>
>     using AES-256; when they do, the server SHOULD prefer the stronger
>
>     cipher suite unless there are compelling reasons (e.g., seriously
>
>     degraded performance) to choose otherwise.
>
> The way I read it, if statement #2 is honored, then statement #3 would
> not be honored, even if the stronger cipher suite is ordered before the
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. I don’t think this is the intent!
>
> It would be better to qualify statement #2 with regards to weaker cipher
> suites to avoid weaker proposals, while allowing stronger proposals.

That's a good catch. #2 needs say "Servers SHOULD prefer this cipher 
suite over weaker cipher suites..." We'll fix that in a revised I-D that 
we plan to submit tomorrow morning (after IETF LC ends).

Peter