IETF Logo Mail Archive

Re: [secdir] secdir review of draft-elie-nntp-tls-recommendations-01

Julien ÉLIE <julien@trigofacile.com> Thu, 08 December 2016 21:47 UTC

Return-Path: <julien@trigofacile.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F4F1129421 for <secdir@ietfa.amsl.com>; Thu, 8 Dec 2016 13:47:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ljp6c1d9FoGw for <secdir@ietfa.amsl.com>; Thu, 8 Dec 2016 13:47:38 -0800 (PST)
Received: from smtp.smtpout.orange.fr (smtp10.smtpout.orange.fr [80.12.242.132]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB8DB1298B9 for <secdir@ietf.org>; Thu, 8 Dec 2016 13:47:37 -0800 (PST)
Received: from macbook-pro-de-julien-elie.home ([92.170.5.52]) by mwinf5d86 with ME id HZna1u00817Lgi403Znbgn; Thu, 08 Dec 2016 22:47:36 +0100
X-ME-Helo: macbook-pro-de-julien-elie.home
X-ME-Auth: anVsaWVuLmVsaWU0ODdAd2FuYWRvby5mcg==
X-ME-Date: Thu, 08 Dec 2016 22:47:36 +0100
X-ME-IP: 92.170.5.52
To: David Mandelberg <david@mandelberg.org>
References: <022c6479-4bac-f18e-928a-796a0d7ebde3@mandelberg.org>
From: Julien ÉLIE <julien@trigofacile.com>
Organization: TrigoFACILE -- http://www.trigofacile.com/
Message-ID: <6eb3ef06-c3f0-462e-0cc1-573e585cc221@trigofacile.com>
Date: Thu, 08 Dec 2016 22:47:34 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <022c6479-4bac-f18e-928a-796a0d7ebde3@mandelberg.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/fHLqra0eDkWGnLpIlVHpBEKTV6s>
Cc: draft-elie-nntp-tls-recommendations.all@ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-elie-nntp-tls-recommendations-01
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Dec 2016 21:47:40 -0000

Hi David,

> I think this document is ready with nits.

Many thanks for having taken the time to review the document.


> Section 2.4: I think the second to last bullet (about lack of STARTTLS)
> should be expanded in scope to say "during any previous connection
> within a (possibly configurable) time frame" instead of "during the
> previous connection." Otherwise, a human might not see the warning the
> first time, and the warning would disappear immediately after that.

Oh, you're totally right.  That's a pretty good catch.
I've adopted your wording in the future revised I-D.



Incidentally, I would like to point out that I received in the 
(concluded) IETF NNTP a suggestion of answer for the 3rd question in 
Appendix E:
   https://lists.eyrie.org/pipermail/ietf-nntp/2016-November/006249.html
   https://lists.eyrie.org/pipermail/ietf-nntp/2016-December/006251.html

FYI, the use of ports 119 and 433 is described in Sections 3.4.1 and 
3.4.2 of RFC 3977:

     The official TCP port for the NNTP service is 119.  However, if a
     host wishes to offer separate servers for transit and reading
     clients, port 433 SHOULD be used for the transit server and 119 for
     the reading server.


I believe it is OK to take the following text into account for the ports 
to use for NNTP over TLS, but I prefer to share with you the wording in 
case you have any comments about it.  (Maybe it is not clear enough!)
We would then have in Appendix A of the document:

  The third and fourth paragraphs in Section 1 of [RFC4642] are
  replaced with the following text:

   TCP port 563 is dedicated to NNTP over TLS, and registered in the
   IANA Service Name and Transport Protocol Port Number Registry for
   that usage.  NNTP implementations using TCP port 563 begin the TLS
   negotiation immediately upon connection and then continue with the
   initial steps of an NNTP session.  This use of strict TLS on a
   separate port is the preferred way of using TLS with NNTP.

   If a host wishes to offer separate servers for transit and reading
   clients, TCP port 563 SHOULD be used for the reading server using
   strict TLS.  If a transit server offers strict TLS, it SHOULD use TCP
   port 433 if it does not accept unencrypted connections, but can
   alternatively use another unused port of its choice.  If it accepts
   dynamic upgrade from unencrypted to TLS-protected traffic, it SHOULD
   use TCP port 433 for that usage, and another unused port of its
   choice for strict TLS.  In either case, the port used for strict TLS
   should be clearly communicated to the client, and specifically that
   no plain-text communication occurs before the TLS session is
   negotiated.


-- 
Julien ÉLIE

« – Et si vous ne trouvez pas, je vous fais bouillir et servir aux
     lions avec de la sauce à la menthe !!!
   – Mais c'est horrible ça !
   – Oui, pauvres bêtes ! » (Astérix)

v2.23.0 | Report a Bug | By Email