Re: [secdir] secdir review of draft-elie-nntp-tls-recommendations-01
Julien ÉLIE <julien@trigofacile.com> Thu, 08 December 2016 21:47 UTC
Return-Path: <julien@trigofacile.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F4F1129421 for <secdir@ietfa.amsl.com>; Thu, 8 Dec 2016 13:47:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ljp6c1d9FoGw for <secdir@ietfa.amsl.com>; Thu, 8 Dec 2016 13:47:38 -0800 (PST)
Received: from smtp.smtpout.orange.fr (smtp10.smtpout.orange.fr [80.12.242.132]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB8DB1298B9 for <secdir@ietf.org>; Thu, 8 Dec 2016 13:47:37 -0800 (PST)
Received: from macbook-pro-de-julien-elie.home ([92.170.5.52]) by mwinf5d86 with ME id HZna1u00817Lgi403Znbgn; Thu, 08 Dec 2016 22:47:36 +0100
X-ME-Helo: macbook-pro-de-julien-elie.home
X-ME-Auth: anVsaWVuLmVsaWU0ODdAd2FuYWRvby5mcg==
X-ME-Date: Thu, 08 Dec 2016 22:47:36 +0100
X-ME-IP: 92.170.5.52
To: David Mandelberg <david@mandelberg.org>
References: <022c6479-4bac-f18e-928a-796a0d7ebde3@mandelberg.org>
From: Julien ÉLIE <julien@trigofacile.com>
Organization: TrigoFACILE -- http://www.trigofacile.com/
Message-ID: <6eb3ef06-c3f0-462e-0cc1-573e585cc221@trigofacile.com>
Date: Thu, 08 Dec 2016 22:47:34 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <022c6479-4bac-f18e-928a-796a0d7ebde3@mandelberg.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/fHLqra0eDkWGnLpIlVHpBEKTV6s>
Cc: draft-elie-nntp-tls-recommendations.all@ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-elie-nntp-tls-recommendations-01
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Dec 2016 21:47:40 -0000
Hi David, > I think this document is ready with nits. Many thanks for having taken the time to review the document. > Section 2.4: I think the second to last bullet (about lack of STARTTLS) > should be expanded in scope to say "during any previous connection > within a (possibly configurable) time frame" instead of "during the > previous connection." Otherwise, a human might not see the warning the > first time, and the warning would disappear immediately after that. Oh, you're totally right. That's a pretty good catch. I've adopted your wording in the future revised I-D. Incidentally, I would like to point out that I received in the (concluded) IETF NNTP a suggestion of answer for the 3rd question in Appendix E: https://lists.eyrie.org/pipermail/ietf-nntp/2016-November/006249.html https://lists.eyrie.org/pipermail/ietf-nntp/2016-December/006251.html FYI, the use of ports 119 and 433 is described in Sections 3.4.1 and 3.4.2 of RFC 3977: The official TCP port for the NNTP service is 119. However, if a host wishes to offer separate servers for transit and reading clients, port 433 SHOULD be used for the transit server and 119 for the reading server. I believe it is OK to take the following text into account for the ports to use for NNTP over TLS, but I prefer to share with you the wording in case you have any comments about it. (Maybe it is not clear enough!) We would then have in Appendix A of the document: The third and fourth paragraphs in Section 1 of [RFC4642] are replaced with the following text: TCP port 563 is dedicated to NNTP over TLS, and registered in the IANA Service Name and Transport Protocol Port Number Registry for that usage. NNTP implementations using TCP port 563 begin the TLS negotiation immediately upon connection and then continue with the initial steps of an NNTP session. This use of strict TLS on a separate port is the preferred way of using TLS with NNTP. If a host wishes to offer separate servers for transit and reading clients, TCP port 563 SHOULD be used for the reading server using strict TLS. If a transit server offers strict TLS, it SHOULD use TCP port 433 if it does not accept unencrypted connections, but can alternatively use another unused port of its choice. If it accepts dynamic upgrade from unencrypted to TLS-protected traffic, it SHOULD use TCP port 433 for that usage, and another unused port of its choice for strict TLS. In either case, the port used for strict TLS should be clearly communicated to the client, and specifically that no plain-text communication occurs before the TLS session is negotiated. -- Julien ÉLIE « – Et si vous ne trouvez pas, je vous fais bouillir et servir aux lions avec de la sauce à la menthe !!! – Mais c'est horrible ça ! – Oui, pauvres bêtes ! » (Astérix)
- [secdir] secdir review of draft-elie-nntp-tls-rec… David Mandelberg
- Re: [secdir] secdir review of draft-elie-nntp-tls… Julien ÉLIE
- Re: [secdir] secdir review of draft-elie-nntp-tls… David Mandelberg
- Re: [secdir] secdir review of draft-elie-nntp-tls… Julien ÉLIE