[TLS] Re: Secdir last call review of draft-ietf-tls-rfc8447bis-11
Sean Turner <sean@sn3rd.com> Tue, 25 March 2025 13:32 UTC
Return-Path: <sean@sn3rd.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 64C88121C8B0 for <tls@mail2.ietf.org>; Tue, 25 Mar 2025 06:32:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hga8sW74wOyk for <tls@mail2.ietf.org>; Tue, 25 Mar 2025 06:32:13 -0700 (PDT)
Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com [IPv6:2607:f8b0:4864:20::82d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 537B2121C88E for <tls@ietf.org>; Tue, 25 Mar 2025 06:32:13 -0700 (PDT)
Received: by mail-qt1-x82d.google.com with SMTP id d75a77b69052e-47677b77725so48740741cf.3 for <tls@ietf.org>; Tue, 25 Mar 2025 06:32:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; t=1742909533; x=1743514333; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=AItZxgv5w6Qel4pJ2IE248lY+ZWh0d5N7v7GDyxqVL8=; b=gR07Lb0Vu0GPcVhu7P2qXSvcZl6Tx5yyQtvZjvsM1MGUddYZ1ddvColMyo8vZLI6CH ieJbHZzvhu82/ju1FMD9ONf0nFr7JWdO/YhJCwTcnS3t8VFQlA6Z+qGmfLrZyUhrO+XT l1LL58T0SI+XwaKsZAXu8Vp9Knu2wnjU/8bxs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1742909533; x=1743514333; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=AItZxgv5w6Qel4pJ2IE248lY+ZWh0d5N7v7GDyxqVL8=; b=E2BvG/ONyl81czuKxZDcY6HYrBlwuUdMh0JnYxYYfrLcMo2US5neDLO9NdP1Bs0iKa 64Ky+LWf/LHKcQKrP/a1rBuCZjifddtO89gj0aitr+rALT/khsR7GOACM7gbYqwNQxkf TvNh7NxzI4I/QQOPanWrNA4toBe5qqRlWgrJE07JKM7J1G+xo8Bl2kiW+NfIioJIJzvM XE412jZj3dBwtwZOSx/+WNfpBdf12cgUlgHGUN293p0db5VMuMOC/EPAlMvlX1DL9UtN efXjJRfNYZ2Uh1n+KEf8gTd5UN7mnqT17utevQ6TcZd7tV6OdZWE+duyhZHsOPiZgZPa 3+TA==
X-Forwarded-Encrypted: i=1; AJvYcCWiUdXBPEqjr1Yx8Z7OQ5GpkEyoTyoR7H0v9aQv8RGF1UgByzRFlgyiVX1GdI+0SXskwcY=@ietf.org
X-Gm-Message-State: AOJu0YzMATJd3P033chsR7r3UYMOUz3o8K3ddyZd0bsmj5svdD4tTyyr H/HN0nhYNeRK6LhTsKk7BBSIyziTLoknH7llsessaSfkc1Y6nx1JRQNzH4HEOGQ=
X-Gm-Gg: ASbGncsvCdLRi2FKITVtPEtgMl8+hmlD3o+oKO4QTHmO6ViDbtCUDhoInOtUFlDOhjz 6OBtGHfBLJe3qS3vj0o4Wi6sUP/4TwcSbVVhhKH7UcfgBVWyCNvitQzYyVAVzS5XIpPmSSdeoeW UKAN8D/cxX1ZY2nhVI/bEZpnJj+9XUah/dZPlk53MttsOvId56agug/PRCiAIJGgEPSqciPSkF7 8A3zUwM0oe4QWxPI1s+ocIin/NLVtKa0+HhD8BzEs2B7Uvl0l6Pody8ceA/jXkIQmJFXqoOGezC tUOpoVpKIYvbocnb0yugBOjWwuaoyUNIUpAoLOpI2Zmlkwq3A1VNj9gM0+WHt875
X-Google-Smtp-Source: AGHT+IHOlwGqjPu1GN8ndLhE5fTqpDe6yynjijJzPPvDm3759dyjEVsXzU/RhS2ZGG5yZOenMmw89g==
X-Received: by 2002:a05:622a:1f0a:b0:476:a74d:f23b with SMTP id d75a77b69052e-4771de62897mr284263821cf.48.1742909532624; Tue, 25 Mar 2025 06:32:12 -0700 (PDT)
Received: from smtpclient.apple ([2600:4040:252a:8d00:9c9:f11c:31df:d1fd]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-4771d176093sm59613371cf.19.2025.03.25.06.32.11 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 25 Mar 2025 06:32:11 -0700 (PDT)
From: Sean Turner <sean@sn3rd.com>
Message-Id: <4438BB2C-521A-4162-92CC-9E3592796EC3@sn3rd.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_12B9DC5C-9D3F-4F19-85FE-E77B29D7104C"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.400.131.1.6\))
Date: Tue, 25 Mar 2025 09:31:50 -0400
In-Reply-To: <174189701109.952601.10401495531190343196@dt-datatracker-775fc5cbb8-824tp>
To: Benjamin Schwartz <ietf@bemasc.net>
References: <174189701109.952601.10401495531190343196@dt-datatracker-775fc5cbb8-824tp>
X-Mailer: Apple Mail (2.3826.400.131.1.6)
Message-ID-Hash: 5VMT5GHFA3JNGDC2I3YWZL52J2LQCAT3
X-Message-ID-Hash: 5VMT5GHFA3JNGDC2I3YWZL52J2LQCAT3
X-MailFrom: sean@sn3rd.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: secdir@ietf.org, draft-ietf-tls-rfc8447bis.all@ietf.org, last-call@ietf.org, TLS List <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Secdir last call review of draft-ietf-tls-rfc8447bis-11
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/3m6EXfuu8etg6mWjBexO46nqU6Y>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
> On Mar 14, 2025, at 3:16 AM, Benjamin Schwartz via Datatracker <noreply@ietf.org> wrote: > > Reviewer: Benjamin Schwartz > Review result: Ready > > Nit: "leave an items", lower case "* update the note on the role ...". Fixed via: https://github.com/tlswg/rfc8447bis/pull/70 > Use of BCP 14 "IANA SHALL" seems odd, but I assume IANA process experts have > reviewed this formulation. Yep! > I wish this document would populate the "Comment" column on some of the > discouraged entries, or at least note the reasoning in the body of the > document. As it stands, it seems that a reader could find a discouraged entry > in these registries, read the Comment column, read all the linked reference > documents (including this one), and still find no explanation for why it is > discouraged. Fair point, but this one had legs. 1) I went through each of the entries that we are setting to do “D”. Most but not all had links to explain why they got a “D”. This PR at the end includes additions where I think they are needed. The only one that is weird is the curves, because what we did was suggested at IETF 118 that anything under 128-bits should be D. So, this is the draft that’s going to knock ‘em out. We could add that here or just point to the presentation. The PR points to the presentation. 2) This I-D has a very long list of cipher suites. Many of these are in -deprecate-obsolete-kex. -deprecate-obsolete-kex is pinned on this I-D. We’re going to leave those in this draft, but put them in another table and add to the reference column to refer to this draft where we taken them out for being NULL, weak, etc. 3) We should make it clear that when “D” is set that enough information be included to determine why it’s “D”. Added this to the PR ***NOTE the addition of the MUST": When marking a registry entry as “D”, either the References or the Comments Column MUST include sufficient information to determine why the marking has been applied. Here’s a link to the PR: https://github.com/tlswg/rfc8447bis/pull/73 spt
- [TLS] Secdir last call review of draft-ietf-tls-r… Benjamin Schwartz via Datatracker
- [TLS] Re: Secdir last call review of draft-ietf-t… Sean Turner