Re: [TLS] WGLC for draft-ietf-tls-ticketrequests

Benjamin Kaduk <bkaduk@akamai.com> Thu, 21 November 2019 07:29 UTC

Return-Path: <bkaduk@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABD2912094E for <tls@ietfa.amsl.com>; Wed, 20 Nov 2019 23:29:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6yrM1fFrO3At for <tls@ietfa.amsl.com>; Wed, 20 Nov 2019 23:29:14 -0800 (PST)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6AC2A12004C for <tls@ietf.org>; Wed, 20 Nov 2019 23:29:14 -0800 (PST)
Received: from pps.filterd (m0050093.ppops.net [127.0.0.1]) by m0050093.ppops.net-00190b01. (8.16.0.42/8.16.0.42) with SMTP id xAL7Nk37003916; Thu, 21 Nov 2019 07:29:13 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=date : from : to : cc : subject : message-id : references : mime-version : content-type : in-reply-to; s=jan2016.eng; bh=l8db810FEXUlCqAGMd2dDyhXzoq1SNRxJBxbAq9iuJg=; b=lIVaBw70lgSPmOaCt/zS/NmkZA50TIt3ly3+YA+MLpr+xXRMDffzdsMN+1XMld6o8ZWg AEDv8gDG5z1aYUm742238U127iKn5J11h2ojeS/yt0fMNBybis9LEB64+bQ+xq7ZSaWn W4FiHcN+JoLzNj9s81cp+MViHJWsjOxbtZFGyaD3z4lU8f+UcSUy58rQp0eVOWrpYsAO fet+F31ETANdtPytkrlnTmJoZRh3LxR7+Yx/yeaR7XlBIvQbY17tEmaKqkHgSR/gedSO xiVwrhcce7eL/dsOY8bFp2JOaf9qwAu2SHBdVjtlQz4PyGDaO0N+2vQPyY4X5gcQbuYi 3A==
Received: from prod-mail-ppoint1 (prod-mail-ppoint1.akamai.com [184.51.33.18] (may be forged)) by m0050093.ppops.net-00190b01. with ESMTP id 2wcq3dr94w-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 21 Nov 2019 07:29:13 +0000
Received: from pps.filterd (prod-mail-ppoint1.akamai.com [127.0.0.1]) by prod-mail-ppoint1.akamai.com (8.16.0.27/8.16.0.27) with SMTP id xAL7GvWf007915; Thu, 21 Nov 2019 02:29:12 -0500
Received: from prod-mail-relay14.akamai.com ([172.27.17.39]) by prod-mail-ppoint1.akamai.com with ESMTP id 2wadb08dyb-1; Thu, 21 Nov 2019 02:29:10 -0500
Received: from bos-lpczi.kendall.corp.akamai.com (bos-lpczi.kendall.corp.akamai.com [172.19.17.86]) by prod-mail-relay14.akamai.com (Postfix) with ESMTP id 9551980D1A; Thu, 21 Nov 2019 07:29:10 +0000 (GMT)
Received: from bkaduk by bos-lpczi.kendall.corp.akamai.com with local (Exim 4.86_2) (envelope-from <bkaduk@akamai.com>) id 1iXgtp-0005Xz-9M; Wed, 20 Nov 2019 23:29:09 -0800
Date: Wed, 20 Nov 2019 23:29:08 -0800
From: Benjamin Kaduk <bkaduk@akamai.com>
To: Rob Sayre <sayrer@gmail.com>
Cc: David Schinazi <dschinazi.ietf@gmail.com>, "TLS@ietf.org" <tls@ietf.org>
Message-ID: <20191121072908.GY20609@akamai.com>
References: <5FBFE820-8C53-4B32-9520-343279C1A6CC@apple.com> <20191120064819.GR34850@straasha.imrryr.org> <CAPDSy+6DFJ+OYRtYK6eEiUt1noiik4KxqrGFx0ro_RL2Mft_VA@mail.gmail.com> <67c2ed4f-ce87-4d63-87bf-c38a36c8fb70@www.fastmail.com> <CAPDSy+4NQeVpmawRAOnC=whQ6S25Lc7GZMT2syTStqEt8a7XRQ@mail.gmail.com> <CAChr6SxooRW-8hdp-JtjLVNy1jq3SDK+PK0Y=4qYyVVa_nOOTw@mail.gmail.com> <CAPDSy+5Bes=kCi7WjbETJgBVu_TpM0n==9J7TVg0ha_4udhVvw@mail.gmail.com> <CAChr6Sx=y24kBcWCNVhPvhpEbLNtwTL0T4S-cBpY=MGL1SCYfg@mail.gmail.com> <20191121065415.GX20609@akamai.com> <CAChr6SxzHyKtHW+Lcdfd+hcW=dYhi1vB02ffKOVkM6SASMnYLw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAChr6SxzHyKtHW+Lcdfd+hcW=dYhi1vB02ffKOVkM6SASMnYLw@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-11-20_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=763 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1911140001 definitions=main-1911210064
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572 definitions=2019-11-20_08:2019-11-20,2019-11-20 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 adultscore=0 spamscore=0 impostorscore=0 phishscore=0 suspectscore=0 mlxscore=0 clxscore=1015 bulkscore=0 lowpriorityscore=0 priorityscore=1501 mlxlogscore=773 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1911210065
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/-r4h8MSVKkDDOIj3TczqZ4kIMCw>
Subject: Re: [TLS] WGLC for draft-ietf-tls-ticketrequests
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2019 07:29:15 -0000

On Wed, Nov 20, 2019 at 10:59:32PM -0800, Rob Sayre wrote:
> On Wed, Nov 20, 2019 at 10:54 PM Benjamin Kaduk <bkaduk@akamai.com> wrote:
> 
> > On Wed, Nov 20, 2019 at 10:35:09PM -0800, Rob Sayre wrote:
> > > On Wed, Nov 20, 2019 at 10:25 PM David Schinazi <
> > dschinazi.ietf@gmail.com>
> > > wrote:
> > >
> > > > The SHOULD from (2) is indeed not required for interoperability, but
> > > > important
> > > > to ensure servers put this protection in place.
> > > >
> > >
> > > In that case, this issue belongs in the Security Considerations section.
> > I
> > > understand that the concern is valid, but a "SHOULD" in this part of the
> > > document is not the right way to communicate it.
> >
> > Is it more of a security consideration or an operational one?
> >
> 
> Since it was referred to as a "protection", I thought it was a DoS concern.
> 
> If it's only implementation advice, that's also valid, but it doesn't call
> for 2119 SHOULD language. The document should explain the operational
> concern without using "SHOULD".

I disagree with your premise on when BCP 14 keyword usage is appropriate.
Which is to say, I think the "SHOULD" is fine for operational concerns.

-Ben