Re: [secdir] secdir review of draft-elie-nntp-tls-recommendations-01
David Mandelberg <david@mandelberg.org> Thu, 08 December 2016 22:19 UTC
Return-Path: <david@mandelberg.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 294D3129B52 for <secdir@ietfa.amsl.com>; Thu, 8 Dec 2016 14:19:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BKyzQRq7FA8C for <secdir@ietfa.amsl.com>; Thu, 8 Dec 2016 14:19:02 -0800 (PST)
Received: from nm23-vm9.access.bullet.mail.bf1.yahoo.com (nm23-vm9.access.bullet.mail.bf1.yahoo.com [216.109.115.168]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28899129ECC for <secdir@ietf.org>; Thu, 8 Dec 2016 14:15:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1481235339; bh=GUggcJ9uOuFZWUJwvgz1pHtq+LTAAOmgF2Vf83xs5d8=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From:Subject; b=BNd51Tfx+k6LRLKPgodLj2DvhKcR/l12zuwexf2geSHmsHoBfhPsMN7nmZXtHMfWQRizGe3bt2Qr9l0I9yUCkaDiklnYmEcAFhyzI9V0CjtflEd9Ebb58y/XI+sf/VnqUc0psEm1NCjSg7IDdeHo6HVINVRBnkxQErEiMbo2ZK+9Db024J3QMOa+9BASGcvqXx64VMMVbueqvIvbTJk4bsbjqW/8/1GdBlsIGePKbcdjCYVltV3G1qqTHMjkzV7mxZ+9n4TSv+0ZdPhrMoYS6i1ujp6LQVKrl+k2LzUKU0ukak7qszJ7pn5bghESmgKVxsgbISDkhR7T2rRVVHXEvA==
Received: from [66.196.81.157] by nm23.access.bullet.mail.bf1.yahoo.com with NNFMP; 08 Dec 2016 22:15:39 -0000
Received: from [98.138.104.98] by tm3.access.bullet.mail.bf1.yahoo.com with NNFMP; 08 Dec 2016 22:15:39 -0000
Received: from [127.0.0.1] by smtp118.sbc.mail.ne1.yahoo.com with NNFMP; 08 Dec 2016 22:15:39 -0000
X-Yahoo-Newman-Id: 529772.43473.bm@smtp118.sbc.mail.ne1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: NcTO8zoVM1lxs7QQv6rUAirr.uDr4xyg7SjbTXEpSJIhT1q 4fUkmph1Bu0Ch_mh9GepWb0PjXLn59cxqy6ZWyYEHHf3us9CnIiN_dWxe_4Z AJiZr5vcuBuq2BlXIbMVQgR2TzmhMuOjNbjwqP6an.GPwN9NT5Bmd7GPRqTF 5RAwq9F1ADGo3O.bskxQLoo3cYfO3.IL9J8bSSqhx6QbXvpTN7RunnDotK2G QbxnRbkbgPeGv0levPIXvdx1maXvqdH4M4XU1rdBY912I_OXSOhRI4pILyDe gVet0dloyfFtXMrU5UPvC_As.t3ZXBQsbHKrDIZkxeZ9WNXLbBzPVjggnVji Kr0uB6f8V8LuYebB_fzrJoXubT9cQOgPTf4D7z4QnEl5IsMQB3JjcLAz51bq 3OsHgXgMCfTk0ZVvQgjzbb9eAPxCKnCOQ9GxyqiUO9iRa401WMNpUNNmpiol tjnbRd5oLok61hhv4OQaj8VqZHChkENkxYwT99NVY3vSLAcXif7_WVG4rB0G 6tPxcV3n_L0k0.KIXP7aKSp.njUosXUJSP2ikcHaAGg--
X-Yahoo-SMTP: 4kJJK.qswBDPuwyc5wW.BPAQqNXdy5j09UNyeAS0pyOQ708-
Received: from secure.mandelberg.org (DD-WRT [192.168.1.1]) by uriel.mandelberg.org (Postfix) with ESMTPSA id E04FA1C6033; Thu, 8 Dec 2016 17:09:25 -0500 (EST)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Date: Thu, 08 Dec 2016 17:09:25 -0500
From: David Mandelberg <david@mandelberg.org>
To: Julien ÉLIE <julien@trigofacile.com>
In-Reply-To: <6eb3ef06-c3f0-462e-0cc1-573e585cc221@trigofacile.com>
References: <022c6479-4bac-f18e-928a-796a0d7ebde3@mandelberg.org> <6eb3ef06-c3f0-462e-0cc1-573e585cc221@trigofacile.com>
Message-ID: <6d25826996009a1792e721b6de78a1fd@mail.mandelberg.org>
X-Sender: david@mandelberg.org
User-Agent: Roundcube Webmail/1.1.5
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/avRGjLYhKyUr7Ung6NZJL-OFL_Y>
Cc: draft-elie-nntp-tls-recommendations.all@ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-elie-nntp-tls-recommendations-01
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Dec 2016 22:19:04 -0000
On 2016-12-08 16:47, Julien ÉLIE wrote: > I believe it is OK to take the following text into account for the > ports to use for NNTP over TLS, but I prefer to share with you the > wording in case you have any comments about it. (Maybe it is not > clear enough!) > We would then have in Appendix A of the document: > > The third and fourth paragraphs in Section 1 of [RFC4642] are > replaced with the following text: > > TCP port 563 is dedicated to NNTP over TLS, and registered in the > IANA Service Name and Transport Protocol Port Number Registry for > that usage. NNTP implementations using TCP port 563 begin the TLS > negotiation immediately upon connection and then continue with the > initial steps of an NNTP session. This use of strict TLS on a > separate port is the preferred way of using TLS with NNTP. > > If a host wishes to offer separate servers for transit and reading > clients, TCP port 563 SHOULD be used for the reading server using > strict TLS. If a transit server offers strict TLS, it SHOULD use TCP > port 433 if it does not accept unencrypted connections, but can > alternatively use another unused port of its choice. If it accepts > dynamic upgrade from unencrypted to TLS-protected traffic, it SHOULD > use TCP port 433 for that usage, and another unused port of its > choice for strict TLS. In either case, the port used for strict TLS > should be clearly communicated to the client, and specifically that > no plain-text communication occurs before the TLS session is > negotiated. From a security point of view, I have no objection to this text. I'm a bit surprised that you're using the same port (433) for both plain TLS and for STARTTLS, but as long as clients and servers are configured correctly, that should work. I assume there's no protocol switching attack between TLS and NNTP? -- David Eric Mandelberg / dseomn http://david.mandelberg.org/
- [secdir] secdir review of draft-elie-nntp-tls-rec… David Mandelberg
- Re: [secdir] secdir review of draft-elie-nntp-tls… Julien ÉLIE
- Re: [secdir] secdir review of draft-elie-nntp-tls… David Mandelberg
- Re: [secdir] secdir review of draft-elie-nntp-tls… Julien ÉLIE