[TLS] Re: Last Call: <draft-ietf-tls-rfc8447bis-11.txt> (IANA Registry Updates for TLS and DTLS) to Proposed Standard
Joseph Salowey <joe@salowey.net> Mon, 17 March 2025 10:40 UTC
Return-Path: <joe@salowey.net>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id C7478CE2CCA for <tls@mail2.ietf.org>; Mon, 17 Mar 2025 03:40:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mL113si_UcJ6 for <tls@mail2.ietf.org>; Mon, 17 Mar 2025 03:40:59 -0700 (PDT)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 6F846CE29F9 for <tls@ietf.org>; Mon, 17 Mar 2025 03:40:35 -0700 (PDT)
Received: by mail-lj1-x234.google.com with SMTP id 38308e7fff4ca-30bfe0d2b6dso48414171fa.3 for <tls@ietf.org>; Mon, 17 Mar 2025 03:40:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20230601.gappssmtp.com; s=20230601; t=1742208034; x=1742812834; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ZYYNtcbxBO+2SqQgALEwBakipolkoKG18Rach4vVXys=; b=kVP3G9m3jcf/OhbnGFEOcUbyImXXWvv6JH5jaFJlrK2rvenz+09yafKxn7eFbm7QDN KwfrzquZXcClFVVUgUh0J25qHNVc9IMszas3yPskL2u+cJ3+bhQGPr0b8ZesfPKH05Hf T34Jz07n6SLQDHUzoeFoTGOZL+d34JVBa+FjNn4c/D8uhuX15wXrQxmPtdcqj9bKZ5Op tWdutLvmdW9e2iHJR3mawC7RUbNx3JU0XZ1G7bfp/ewUkxdDssgDB6o16F9xT2w6/gPx CXmYJwF9/exOl1a5/+BuilnSwFy9Kabe00Z1xzfNWpVGrYOhSMXXbpMcjIajTdW8/KRU T0ow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1742208034; x=1742812834; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ZYYNtcbxBO+2SqQgALEwBakipolkoKG18Rach4vVXys=; b=J2FBZu5zkqDYILU3Iz87cby03XCnSd5NzR4UPU6gozPmF2xxASCotF52fb1JqrosC4 l4IcJStGtxOrlBTNQcC/zH67Bd5xxGNgaFoluspiIUx9B6BTZShx4UVh8CHXY3hLgFiP TGFw3FPnECrPb37aFF6rytLL77DiwWAJHt69rtY3lRSGdhw4Xg2ihFprirt3+Dwnpi1u DJFLRm9O1dpxl8k7U8xjO4+3PUsR+rR8kcEIyoMNQtZFj3Aw2F2SWTlDmInQi6BmFEmA 7HqFFvu9/fHV+aBbJyujqWYew7weO/lC4B3RGS/2WYyrBTdlw9xx1Z+feCuIXTnBGae9 caeQ==
X-Forwarded-Encrypted: i=1; AJvYcCUAmEOdj2N0e4EGGoFvbvfj3FMTfNY65ZMhRErC7nmoDpY9IQlNADt8Gm7tSjTf7gNDVvo=@ietf.org
X-Gm-Message-State: AOJu0YyZIPvKMdyWv90sLTmiVWP6iECI0rmTtiidTtUYr+hLcBv2Itsn 7TA8eiA2riDshUZItqEsclMCxg6LIpncxGqQHkWts0zkKZoGHMZdIL6VXZMySSCPguv3E34HxD+ SIAmx9J9ZFSVEQeupFPPqdQktHlMI+MtI6OhNvQ==
X-Gm-Gg: ASbGncsMvK0sUJvhdRiJo1Oj5YIDOQKERzYLAcRHqCIGymX4bfHU5d8Oj+ydgsGgNmx EWivjrGdJKWX2T2le4sT4uyNz99gkzGNPJkKzDCL2lDrXNPiMPkQK1I15hdxYI6kyZVqV40WScP 2fGU2lZmBaV88qwqpcFKdSfBSToUTD4lHuFwQk3g==
X-Google-Smtp-Source: AGHT+IFcrIheTye4liEZ/zy/QHyr2dJMW0YjMLyJ45yhv9OC6xPWfQ/IazzDqZR8jdKScl5kua+TbwbnSlT7wKLTR9k=
X-Received: by 2002:a2e:be90:0:b0:30b:9813:afe1 with SMTP id 38308e7fff4ca-30c4a8d1e25mr72619851fa.25.1742208033892; Mon, 17 Mar 2025 03:40:33 -0700 (PDT)
MIME-Version: 1.0
References: <174184001345.838119.1665635750501653391@dt-datatracker-775fc5cbb8-824tp> <6BB43AEB-CF42-4FE2-998A-DB85B373D464@proper.com>
In-Reply-To: <6BB43AEB-CF42-4FE2-998A-DB85B373D464@proper.com>
From: Joseph Salowey <joe@salowey.net>
Date: Mon, 17 Mar 2025 17:40:22 +0700
X-Gm-Features: AQ5f1Jrnq0VwWnaf-jEqMDiBBrrQ4QGOXf-iuSwyZn29IqZSi4S1DQveiwrSLTA
Message-ID: <CAOgPGoBg33o7N95PSue3KMwaOz=DcaP7tnNenX=WYQ_jitAyYw@mail.gmail.com>
To: Paul Hoffman <phoffman@proper.com>
Content-Type: multipart/alternative; boundary="000000000000fc4a0f0630876a06"
Message-ID-Hash: 2L66YVYO5UN3SHCHT2NJD2ZWI3AMPGJP
X-Message-ID-Hash: 2L66YVYO5UN3SHCHT2NJD2ZWI3AMPGJP
X-MailFrom: joe@salowey.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: last-call@ietf.org, draft-ietf-tls-rfc8447bis@ietf.org, paul.wouters@aiven.io, tls-chairs@ietf.org, tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Last Call: <draft-ietf-tls-rfc8447bis-11.txt> (IANA Registry Updates for TLS and DTLS) to Proposed Standard
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Do2vtiWqFk4iAhLpwR-UxJT21RQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Hi Paul, The draft already contains the following guidance to address this point on how to treat items marked as "D": "D: Indicates that the item is discouraged. This marking could be used to identify mechanisms that might result in problems if they are used, such as a weak cryptographic algorithm or a mechanism that might cause interoperability problems in deployment. Implementers SHOULD consult the linked references associated with the item to determine the conditions under which it SHOULD NOT or MUST NOT be used." The behavior of TLS when it cannot arrive on an acceptable set of parameters is defined in the TLS protocol specification. Cheers, Joe On Fri, Mar 14, 2025 at 1:59 AM Paul Hoffman <phoffman@proper.com> wrote: > Greetings again. The contents of this draft are fine but definitely > incomplete. The draft gives clear language about whether particular > cryptographic components are recommended for use in TLS, but no guidance > for implementations of what those implementations should do if given a > discouraged code point. > > If a TLS server negotiates to a cryptographic component labelled "D". what > SHOULD / MUST the client do? > > If a TLS client only offers D-level components, what SHOULD / MUST the > server do? > > A program's configuration mechanism SHOULD NOT / MUST NOT allow specifying > D-level components? > > This draft should either be expanded to say what TLS clients and servers > and configuration SHOULD / MUST do with D-level components. If it is too > difficult for the TLS WG to agree on specific actions, the draft should at > least say that so that the reader knows what to do with these new ratings. > Without such wording, the new "D" label becomes useless in practice, which > is clearly bad for security and interoperability. > > --Paul Hoffman >
- [TLS] Last Call: <draft-ietf-tls-rfc8447bis-11.tx… The IESG
- [TLS] Re: Last Call: <draft-ietf-tls-rfc8447bis-1… Paul Hoffman
- [TLS] Re: Last Call: <draft-ietf-tls-rfc8447bis-1… Joseph Salowey
- [TLS] Re: Last Call: <draft-ietf-tls-rfc8447bis-1… Paul Hoffman
- [TLS] Re: [Last-Call] Re: Last Call: <draft-ietf-… Salz, Rich
- [TLS] Re: [Last-Call] Last Call: <draft-ietf-tls-… Paul Hoffman
- [TLS] Re: [Last-Call] Re: Last Call: <draft-ietf-… Eric Rescorla