IETF Logo Mail Archive

Re: [TLS] TLS Provfiles (Was: Call for consensus to remove anonymous DH)

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 16 September 2015 14:44 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 904CA1B3FB1 for <tls@ietfa.amsl.com>; Wed, 16 Sep 2015 07:44:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.33
X-Spam-Level:
X-Spam-Status: No, score=-2.33 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FRT_PROFILE2=1.981, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j2dgC5X0V9df for <tls@ietfa.amsl.com>; Wed, 16 Sep 2015 07:44:09 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA3F81B3F99 for <tls@ietf.org>; Wed, 16 Sep 2015 07:44:09 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id E2A3DBE38; Wed, 16 Sep 2015 15:44:07 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L59YwbDdnWoi; Wed, 16 Sep 2015 15:44:07 +0100 (IST)
Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 3D9BFBE2F; Wed, 16 Sep 2015 15:44:07 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1442414647; bh=7hjzl/HlwiHI7utxwAIIWzlJwJ2Zypq8fGA7wOvWlrk=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=afKQoiM+eKjVSSx3wWmAVdzTmaEichqU+kuAb55OqNVWUWd4dkTAkLlsnarVoMtFV 7GwR+kNLqD/1FzQvF27Yb+SfHgFEC27zdoaKh6qLVWCqDLcl96aeRJJyS2B8CmGMKO ftdhTOdl2AoirJeyUK+Jo5jG81nTfVS9LcX3Y2EM=
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, "noloader@gmail.com" <noloader@gmail.com>, Tony Arcieri <bascule@gmail.com>
References: <CAH8yC8=eHzQPL6cROVK4Pm0V2FSYTL7C7csLG7p49W5LEmfo=Q@mail.gmail.com> <9A043F3CF02CD34C8E74AC1594475C73F4B070E6@uxcn10-tdc05.UoA.auckland.ac.nz> <55F92C1A.9060703@cs.tcd.ie> <9A043F3CF02CD34C8E74AC1594475C73F4B0723C@uxcn10-tdc05.UoA.auckland.ac.nz>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <55F98037.6050103@cs.tcd.ie>
Date: Wed, 16 Sep 2015 15:44:07 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73F4B0723C@uxcn10-tdc05.UoA.auckland.ac.nz>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/I-s9SCz7nNmAD35Zkj99L0C8rE4>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS Provfiles (Was: Call for consensus to remove anonymous DH)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Sep 2015 14:44:16 -0000


On 16/09/15 12:18, Peter Gutmann wrote:
> Stephen Farrell <stephen.farrell@cs.tcd.ie> writes:
> 
>> We have BCP195 [1] that aims for the "general" case (for up to TLS1.2) and a
>> draft [2] (current in IESG evaluation) for the embedded case. Are those the
>> kind of thing you're after?
> 
> Sort of, but since they're not part of the TLS spec they essentially don't
> exist (I've never seen then quoted, cited, or referenced in any third-party
> standard that deals with TLS).

I'm not sure how to process that comment. You ask for X, I ask is Y==X
and your answer is that Y doesn't exist? Seems odd. ;-)

Anyway, so far 5 RFCs reference BCP195. [1] I'd say that'll grow over
time. Hopefully folks implementing will find it useful too and not only
those writing RFCs that need TLS, but I guess we'll see over time if
BCP195 got it right or not.

  [1] http://www.arkko.com/tools/allstats/citations-rfc7525.html

> 
> Another problem is that they're defined as a large collection of (often rather
> waffly) "don't do this" comments, so as a somewhat wooly blacklist rather than
> a clear whitelist.  So the BCPs aren't really a profile but more like 20-30
> pages of hand-wringing.

Feel free to collect a bunch of your own emails (hand-wringing or
not:-) and shoot those out as an I-D.

> An actual profile of TLS would be something like MUST TLS 1.1 or above, MUST
> PFS suites, MUST AES and SHA256, MUST E-then-M (and by implication what isn't
> explicitly permitted is denied).

Yes, life would be lovely if things were so simple.

S.


> 
> Peter.
>

v2.23.0 | Report a Bug | By Email