Re: [secdir] Secdir review of draft-ietf-ecrit-additional-data
Magnus Nyström <magnusn@gmail.com> Wed, 16 September 2015 18:19 UTC
Return-Path: <magnusn@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE72F1A87E9 for <secdir@ietfa.amsl.com>; Wed, 16 Sep 2015 11:19:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZzIaEpJgH1Ru for <secdir@ietfa.amsl.com>; Wed, 16 Sep 2015 11:19:13 -0700 (PDT)
Received: from mail-wi0-x22d.google.com (mail-wi0-x22d.google.com [IPv6:2a00:1450:400c:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BD0E1A87C9 for <secdir@ietf.org>; Wed, 16 Sep 2015 11:19:13 -0700 (PDT)
Received: by wicfx3 with SMTP id fx3so82289489wic.0 for <secdir@ietf.org>; Wed, 16 Sep 2015 11:19:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=sJYrtsU3RpzFpwTFYeJyDKCjH+Sm4TgNKgzDKMEfZCs=; b=qviTXQ9eQstrOX4baepNb9jtll6mRVuJmcWKJ/R8silLAr6jldpPKP+N4TsAMOutwc 4Z/k/EiqpjKgOHrHcdZ6UbMU7smyZqDyTvr1XliGrnR3/h76QAqAxe+KMaygho2y20Al aSAN8NLJzl5wj03xCtita2uQ6DDrpZsrIoy49Mq2eAqWXtPUPNrFJFvuwTkDSyTjcwzB w4O4WtJ3Q/s5Ap10X3EbuRTeGNkOY8Y/uQatLsxdAoQu66A6i4eveFbDXTddWMsUZuMI rSqCzQISpGH/UjZaR98CPzUIm4SZr+X3svu1Quu3O/TxctKiB/WaMPdKHa9e7LMfqOOG cw+A==
MIME-Version: 1.0
X-Received: by 10.194.205.68 with SMTP id le4mr26673021wjc.74.1442427551870; Wed, 16 Sep 2015 11:19:11 -0700 (PDT)
Received: by 10.27.130.200 with HTTP; Wed, 16 Sep 2015 11:19:11 -0700 (PDT)
In-Reply-To: <p06240619d21f5df7de24@99.111.97.136>
References: <CADajj4bzDNqCzaJSjviVZm1nk8CrbUopzj0PrNNOUcK9SNG1ZA@mail.gmail.com> <p06240610d21e68de6c17@99.111.97.136> <CADajj4a+uJi3h1qjQ9xgGup_2teQc9hgfRyWDwwKvQS5aUJDOg@mail.gmail.com> <p06240612d21e7dc050f6@99.111.97.136> <CADajj4ZGx-8vFrZXd_CQcuG3GJWYDJoFTBQ+do-duicgadkEYw@mail.gmail.com> <2do7j0.nurejh.2vaeqo-qmf@mercury.scss.tcd.ie> <p06240616d21f443ed6d5@99.111.97.136> <CADajj4aL540rk5yaVea87f_DUCc-q4n1rPzuFPXGE2=ehXAMhw@mail.gmail.com> <p06240619d21f5df7de24@99.111.97.136>
Date: Wed, 16 Sep 2015 11:19:11 -0700
Message-ID: <CADajj4Yk5RAvour880Ekor60aSRWUU+k6hWOt5HkEo7CYrNnOg@mail.gmail.com>
From: Magnus Nyström <magnusn@gmail.com>
To: Randall Gellens <randy@qti.qualcomm.com>
Content-Type: multipart/alternative; boundary="001a11c33fa8d7f419051fe1559c"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/cedy9oc1wK26xWhZXqOf9JdMsE8>
Cc: "secdir@ietf.org" <secdir@ietf.org>, draft-ietf-ecrit-additional-data@tools.ietf.org
Subject: Re: [secdir] Secdir review of draft-ietf-ecrit-additional-data
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Sep 2015 18:19:15 -0000
Sorry, yes, also mention no CBC On Wed, Sep 16, 2015 at 10:57 AM, Randall Gellens <randy@qti.qualcomm.com> wrote: > At 10:31 AM -0700 9/16/15, Magnus Nyström wrote: > > Just a personal remark: BCP 195 still allows earlier versions of TLS, even > TLS 1.0. I felt that for a new application like this, one could go > stronger. Maybe a combo - where you rely on BCP 195 but mandate TLS 1.2 > (or later)? > > > > And not mention CBC? > > > > On Wed, Sep 16, 2015 at 9:14 AM, Randall Gellens <randy@qti.qualcomm.com> > wrote: > > At 7:38 AM +0000 9/16/15, stephen.farrell@cs.tcd.ie wrote: > > On Wed Sep 16 04:09:03 2015 GMT+0100, Magnus Nyström wrote: > > Yes, at least mandating TLS 1.2 or higher and recommending as per above > seems reasonable. > The references for the GCM suites would be RFC 5288 and RFC 5289. > > > BCP195 has recent recommendations for most TLS options. I'd say it'd be > best to use those or if not figure out why they're not correct for this > context. > > > Just to be clear: are you suggesting that we replace text suggested by > Magnus: > > TLS MUST be version 1.2 or later. It is RECOMMENDED to use only > cypher suites that offer Perfect Forward Secrecy (PFS) and avoid > Cipher Block Chaining (CBC), for example, > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 [RFC5288] [RFC5289]. > > With this: > > TLS MUST be version 1.2 or later. It is RECOMMENDED follow > [BCP195]. > > > Note that BCP 195 does not address CBC (but does discuss PFS). I just > want to be clear before making the change, so please confirm that this > works. > > -- > Randall Gellens > Opinions are personal; facts are suspect; I speak for myself only > -------------- Randomly selected tag: --------------- > If the odds are a million to one against something occurring, chances > are 50-50 it will. > > > > > -- > > -- Magnus > > > > > -- > > Randall Gellens > Opinions are personal; facts are suspect; I speak for myself only > -------------- Randomly selected tag: --------------- > Between two evils, I always pick the one I never tried before. > --Mae West. > -- -- Magnus
- [secdir] Secdir review of draft-ietf-ecrit-additi… Magnus Nyström
- [secdir] Secdir review of draft-ietf-mpls-tp-oam-… Tina TSOU
- Re: [secdir] Secdir review of draft-ietf-mpls-tp-… Venkatesan Mahalingam
- Re: [secdir] Secdir review of draft-ietf-mpls-tp-… Venkatesan Mahalingam
- Re: [secdir] Secdir review of draft-ietf-mpls-tp-… Tina TSOU
- Re: [secdir] Secdir review of draft-ietf-ecrit-ad… Randall Gellens
- Re: [secdir] Secdir review of draft-ietf-ecrit-ad… Magnus Nyström
- Re: [secdir] Secdir review of draft-ietf-ecrit-ad… Randall Gellens
- Re: [secdir] Secdir review of draft-ietf-ecrit-ad… Magnus Nyström
- Re: [secdir] Secdir review of draft-ietf-ecrit-ad… Randall Gellens
- Re: [secdir] Secdir review of draft-ietf-ecrit-ad… stephen.farrell
- Re: [secdir] Secdir review of draft-ietf-ecrit-ad… Hannes Tschofenig
- Re: [secdir] Secdir review of draft-ietf-ecrit-ad… Randall Gellens
- Re: [secdir] Secdir review of draft-ietf-ecrit-ad… Magnus Nyström
- Re: [secdir] Secdir review of draft-ietf-ecrit-ad… Randall Gellens
- Re: [secdir] Secdir review of draft-ietf-ecrit-ad… Magnus Nyström
- Re: [secdir] Secdir review of draft-ietf-ecrit-ad… Randall Gellens
- Re: [secdir] Secdir review of draft-ietf-ecrit-ad… Magnus Nyström
- Re: [secdir] Secdir review of draft-ietf-ecrit-ad… Brian Rosen
- Re: [secdir] Secdir review of draft-ietf-ecrit-ad… Randall Gellens
- Re: [secdir] Secdir review of draft-ietf-ecrit-ad… Brian Rosen