[TLS] Re: Mohamed Boucadair's Yes on draft-ietf-tls-rfc8447bis-12: (with COMMENT)
mohamed.boucadair@orange.com Mon, 02 June 2025 10:25 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 4AC572F9C537; Mon, 2 Jun 2025 03:25:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.793
X-Spam-Level:
X-Spam-Status: No, score=-2.793 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g9jBlwOkBA6f; Mon, 2 Jun 2025 03:25:03 -0700 (PDT)
Received: from smtp-out.orange.com (smtp-out.orange.com [80.12.210.122]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 6330A2F9C530; Mon, 2 Jun 2025 03:25:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; i=@orange.com; q=dns/txt; s=orange002; t=1748859902; x=1780395902; h=to:cc:subject:date:message-id:references:in-reply-to: mime-version:from; bh=JKhDGuVe1fYust3/GUiDRIjjqE5oo/ozUojhc2QCFag=; b=fUJDjcEs5Q11UFln5ylDSt5fLCwm9a+ASux80PAuB4iMeo0WwcYqSR/a 5Epurm+sK2H6Xs/oljNfWR1YUurUHNgV7Rp/+ZeYyAvN4oI30GadiiB3l KI2eQcR3/rIB3Ej3TFlMf/UrUQaHI/Z35LMgtMqrQnfvM7TdpbHLi8N3P l7njt4Q/Ffr3OPLVG2n0DfYkzjg3k+oMbjl6PLxNC5Wp72zjcW7X+OOGl Ro8eWMwkdOyRqF17l0/vwNU7Xkm3++6PGkc1FgbBRm9UAQ3WmLp6ChTBU U9VjO+eMYCqkcrRwuI818dKSylr1e2GIwaAL8xWdKXqNCEvHDFZgoVw5E A==;
X-CSE-ConnectionGUID: p4a4oLC8TI+ZzAe0/e0K5w==
X-CSE-MsgGUID: 1LomCx6ISM25fFo+03nhqA==
Received: from unknown (HELO opfedv3rlp0c.nor.fr.ftgroup) ([x.x.x.x]) by smtp-out.orange.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Jun 2025 12:25:00 +0200
Received: from unknown (HELO opzinddimail11.si.fr.intraorange) ([x.x.x.x]) by opfedv3rlp0c.nor.fr.ftgroup with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Jun 2025 12:25:01 +0200
Received: from opzinddimail11.si.fr.intraorange (unknown [127.0.0.1]) by DDEI (Postfix) with SMTP id 0D43A152B683; Mon, 2 Jun 2025 12:25:01 +0200 (CEST)
Received: from opzinddimail11.si.fr.intraorange (unknown [127.0.0.1]) by DDEI (Postfix) with ESMTP id 86518152B8BB; Mon, 2 Jun 2025 12:24:31 +0200 (CEST)
Received: from smtp-out365.orange.com (unknown [x.x.x.x]) by opzinddimail11.si.fr.intraorange (Postfix) with ESMTPS; Mon, 2 Jun 2025 12:24:31 +0200 (CEST)
Received: from mail-francecentralazlp17012051.outbound.protection.outlook.com (HELO PR0P264CU014.outbound.protection.outlook.com) ([40.93.76.51]) by smtp-out365.orange.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Jun 2025 12:24:31 +0200
Received: from PR0P264MB2885.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:1d0::19) by PASP264MB4678.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:434::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8792.34; Mon, 2 Jun 2025 10:24:29 +0000
Received: from PR0P264MB2885.FRAP264.PROD.OUTLOOK.COM ([fe80::d43d:e9a7:d7d8:9d33]) by PR0P264MB2885.FRAP264.PROD.OUTLOOK.COM ([fe80::d43d:e9a7:d7d8:9d33%4]) with mapi id 15.20.8769.037; Mon, 2 Jun 2025 10:24:29 +0000
From: mohamed.boucadair@orange.com
X-CSE-ConnectionGUID: M2nnidsQTKOg/ZfqGc2rcA==
X-CSE-MsgGUID: pL3MpADLQrmSjyI011Ac1w==
X-TM-AS-ERS: 10.106.160.160-127.9.0.1
X-TM-AS-SMTP: 1.0 c210cC1vdXQzNjUub3JhbmdlLmNvbQ== bW9oYW1lZC5ib3VjYWRhaXJAb 3JhbmdlLmNvbQ==
X-DDEI-TLS-USAGE: Used
X-CSE-ConnectionGUID: wpM+WxjuRaa4nhDPsxhPWQ==
X-CSE-MsgGUID: byHUb/YIQtuvByheAM+wEw==
Authentication-Results: smtp-out365.orange.com; dkim=none (message not signed) header.i=none
IronPort-Data: A9a23:gyGrmqOcT6glsFzvrR39kMFynXyQoLVcMsEvi/4bfWQNrUog3jdRx mVNXWiOOPrYNmGhL4siboS/9UtUsZODmNNiHAZtpSBmQkwRpJueD7x1DKtR0wB+jCHnZBg6h ynLQoCYdKjYdleF+1H1dOKn9SIgvU2xbuKUIPbePSxsThNTRi4kiBZy88Y0mYcAbeKRW2thg vus5ZSBULOZ82QsaD9MtfrZ8EoHUMna41v0gHRvPJing3eOzxH5PLpHTYmtIn3xRJVjH+LSb 44vG5ngows1Vz90Yj+Uuu6Tnn8iG9Y+DiDX4pZiYJVOtzAZzsAEPgTXA9JHAatfo23hc9mcU 7yhv7ToIesiFvWkdOjwz3C0HgkmVZCq9oMrLlCgqenQ8F3EbkHlyqloDG0OJp0YwtlOVDQmG fwwcFjhbzi7vbqOmuznYdQ035hlK9T3NoQCvH0m1SveEfstXZHERePN+MNc2zAzwMtJGJ4yZ eJFMXw+N1KfPVsSYz/7C7pm9Ausrnz4czRdpV7Tr60q6GHfxQ1r+L/3Odzad5qBQsA9ckOw9 j6eoz6kXkly2Nq3wyulz3jrt872gT7lcpMSGZSdteFHnwjGroAUIEZNDwfkyRWjsWalVttZA 1cSoTAi66M18SSDT9TmUDW5rWKK+BkGVLJ4H/cz5h3Iy6fI7UOFAnNBVDBKOIB668U3XhQr2 0OH2dTzClRHrLmODHmd/7aOthuzNDQba2gYakcsUQ8ey9juvI91iQjAJv5vDbSoi9bvBCrs3 jSXqQAxgrwSiYgA0KDTwLzcqzelp5yMQBQ84A7aVW+j8hlwYIe3Y5TxtgCCt64ddcCeU0WLu 2UCl46G9ucSAJqRlSuLBuIQALWu4PXDOzrZ6bJyI3U/3yu13j2cbYJN2jh3eEFpHv4faT/RX 3aG7Gu9+6RvFHetaKZ2Zae4BMIr0bXsGLzZuhb8PoYmjn9ZJF7vwc1+WXN8yVwBh2ACq8kC1 XqzdM+tCTMUE61hxze9SuEBy7YvzzI63TqMHcmhl0n+l72DeHSSVLEJdkOUafw057+FpwOT9 MtDM8yNyFNUV+iWjsjrHWw7cgliwZsTXMqeRylrmgireVcO9IYJV6C5/F/ZU9Y595m5b8+Rl p1HZmdWyUDkmVrMIhiQZ3ZoZdvHBMkj/SJjZ3NxYQnzhhDPhLpDCo9PKvPbmpF3pYReIQJcE aVVJa1s/9wTFGuao2hDMfERUqQ5Lkjz31rm09WZjMgXJMU6G1OhFi7Mewrk7i4VCSSr/cA5u aXI6+8oactreuiWN+6PMKjH5wro5RA1wbsuN2OWeIU7UBu3quBCdXeu5sLb1ulQc30vMBPGj V7OWX/1ZIDl/+cIzTU+rfvf/tn0SbEmTyK33QDztN6LCMUTxUL7qacobQpCVWm1uL/ckEl6W dho8g==
IronPort-HdrOrdr: A9a23:0KbNh6DhEReo5N/lHeli55DYdb4zR+YMi2TDtnoBKiC9F/byqy nApoV86faZskd0ZJhCo6HjBEDjewKkyXcd2+B4UNeftSbd2VdAR7sSiLcKrQeQfBEXvoZmu5 tIQuxbAN30A0R8yfz35wS5FNhl4MDCyaavgI7loEtFfEVPY6Fk4Rt/TjyWFUB3QwcDJYN8LZ yb445hrz6tEE56UizwbkNuY9T+
X-Talos-CUID: 9a23:IwhmgGuLS0+8DBVemfXm78B16Is6alie82fSPnWxADpvSJGtUk+QwJxdxp8=
X-Talos-MUID: 9a23:EgLhUg889mwOP7TfhpDLzwWQf815w5mkT3EsqIkbpeOVNSFZHnSCoSviFw==
X-IronPort-AV: E=Sophos;i="6.16,203,1744063200"; d="scan'208,217";a="84042540"
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=TBT52fg4udcaj8OtadoY9MHnk0DuH8aVjGiA3gbwGo8oFYp8kSPfPWMyOS0664+GVPQ1ogN0y8FN7BO4NyNmFhVsllTAtYqCpeUWCD5anPzfbVdizizErc3KzRbGZTSzdoSgDXKNATfzOu5xbAJSjxoZHyV1lLVepPc6d1EinuRY5tZHoZpfNwPXezgzdkeS8KxQtCZl4eOkYPDHDuiNDIDCQyjNxw6E+GU4P8BgQGqQlKY4qalmd0yPuS0vuWaaMKqU0+NEGj2ug8hobegjWlzShuww66bzgCe6pM5PT7Ud9PN+lQzgZmeN6jT09HOd4TSrcVZScJ7vy9sHncETzw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=r6mYrZFJwMzXeJMUJJriIdHxiaMo0GtodiuJR85L6iw=; b=sEumz/hp0NBE2a5Jk5bnBbfzK2KRBkItHRsmEIsxOEK0Wo5lWm7w/ePK2l6B7lYoe+Q3HySNfZbpziL6gMPb9AW/2cOXJl7wJD9OPd2Jgdlw01Zc900jw+e8mE6dB0AMocwy/b4Iu8+pnHiccC2kKolczfFkcaRTeSQ8zj0CmhRaH88/McexT9zkcsEC09uhzco5HHMHyOXcXQMm7wyaBy38nE6XJY28cNnAyR/3ogfOjz+FKfz0YATWVEwcHBaEYziT8mq32FTE37UAHl7yb46KSXPZ7vF/KfA5fdXTU72B/idsdneXCeyn0FYc0nPxRaQq1GOois/ro+HnX3wdEQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=orange.com; dmarc=pass action=none header.from=orange.com; dkim=pass header.d=orange.com; arc=none
To: Sean Turner <sean@sn3rd.com>
Thread-Topic: Mohamed Boucadair's Yes on draft-ietf-tls-rfc8447bis-12: (with COMMENT)
Thread-Index: AQHb0As0vZKY6yX0UkuJI7gUSjgt27PvrlXg
Date: Mon, 02 Jun 2025 10:24:29 +0000
Message-ID: <PR0P264MB288522E1FF0688DAF2B4971E8862A@PR0P264MB2885.FRAP264.PROD.OUTLOOK.COM>
References: <174756917446.140278.5516946093195758412@dt-datatracker-59b84fc74f-84jsl> <0360F88B-553C-4980-82BE-D364ADA3D96E@sn3rd.com>
In-Reply-To: <0360F88B-553C-4980-82BE-D364ADA3D96E@sn3rd.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ActionId=bc1fd227-77d0-4b71-b612-46516ae4fb3b;MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ContentBits=0;MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Enabled=true;MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Method=Privileged;MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Name=unrestricted_parent.2;MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SetDate=2025-06-02T10:24:19Z;MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SiteId=90c7a20a-f34b-40bf-bc48-b9253b6f5d20;MSIP_Label_f47c794b-e3ab-43f0-9e0f-29fc3e503192_ContentBits=0;MSIP_Label_f47c794b-e3ab-43f0-9e0f-29fc3e503192_Enabled=true;MSIP_Label_f47c794b-e3ab-43f0-9e0f-29fc3e503192_Method=Standard;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PR0P264MB2885:EE_|PASP264MB4678:EE_
x-ms-office365-filtering-correlation-id: a0f97a3f-b4f9-4ca5-e95e-08dda1bfa8ab
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|376014|38070700018|8096899003|13003099007|7053199007;
x-microsoft-antispam-message-info: 48zCQi9jOoILfmbarBr8MGbrrYlT5u2aGeKTrNy3/cN/q/mCfTcnUrlhxtXRObZh/AFmLw0Yj3XwhBuJv8MJJM0Z0EOwRgjBREyV+7F6Egruy2iHTVCtdfloFqfVIne0nI+z7ybGGd+dkNm4XWU4olSqrFkqa4nalSw87Bs/1IE8sRW2fngsG/G2DVAj+x+CGyGNozDzk0jy6o9CUGVugC3uRMQVB8mEOtRG0Enc2MNsCfF/zhHt/B4IIrc/Jrm+7ZR47AU4J0iZqqu/BP8NYk7+mYZDv4HBSjQXt63r/GWkdsy++nR8evt6p2Lt60wIX4Qn0y3wLqAdw6p42pa6mB6TjMViLhTJTsOBfjV9yf9iLbFgj1HXS+lxTS4pZO4lS5QLeKevu1AtTPCu5uu1wdVReS1YDkkmNdPGuTrwixnhOPJ6X9MfZ8RwpeJ/qQvhD0yMJO65lSRJdTAFyh21x5EShnJQ9INwsGq0GDy19JieJsBqJdl4jb5h4VRbllf9vZM8grxBWnNcChNM4FaROdijmc8XqrB4Biy66JW6Gi8bGRrTCiCsmv8j85bPJBcB9w4KW6PSpm4lif1RvzqjmjJWu8DoUTABdfIU27YfkevRtTDIwgQA+mdpovwcAdOIfCIYwnhAAX94bDtwGu1Z8jQ4KaRJbMnAsWDefKxEOe+2rmUNSSizNCVIoVaB5wJH6KPPn8c+jwmUhsHOHrAi82oV3W3chOajZxLpYUqqs+XRX+fF9pOUvg9qplVpivcDfJeaAD0nzNCmYmnp6kOmpCtgHKquef+Z28bjKZZLa+eKS5HXqtbyrjgWpDZg5lmLzcuj/EnlGGapzyky5rgxQGcaE1G44/Hwav8Tza3C5I/F7OyDWF5LB3MaD/fLGROhxUYzjOLW8ueQJ2gJCSwP8icrSXHhzPWAg0TX87ajVsORlNA47JruhViR3ctiOJiMOvGfhJi//swjsiZzwTyGzciR2kFakHN6gh2SGN4MIRBs5+2mjiHP1DO8+YiB1sD5W87JEAAucNrYTlv8FCF+E7q4tSeYG6E6z0kGb9LO0+Jn+PwAllfQ8MIIgSGHhbrTLCh8U4sYwUeP4pcQZOAoOZzvMGR7co+uExGpBs6CVhXPdUZcuqPjximK4lah7+wTtPaXTaGdCnN5gUZFK8KDlIWxJl1UqzU+T2mAY+mc0oHM+yn/5FX5X+HLRX47f6jXe2tH/iHBzDiVzsHNAzutgSHc/9usgu30fgH5zZZpKwria4C/NYw0Cboubbb7w9GylDBflB/Z8uxqKB7Rt0Mbu9i/zKKKD9r2Kg0OuEGryVT654+1V4UroI2Z4LsQ0MDbTufrP5xtmQ/rpUNS68HULNxAgBUcqZHxoU5kBDtYjwrqOq+r3EgAbBHg48veA7kND6Lr66tmZly+QVVBIr31BrCvSUKlN2Y7B4kCmz0SasgK+Oo/eScvUR64/brvuHcU5zaPtKj4Mphxuvmzf+MLOBmGY1p2Mo/UkfLuQ6XLAEU=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PR0P264MB2885.FRAP264.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(38070700018)(8096899003)(13003099007)(7053199007);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: BqbuCu+SXmv41cgoNNWFvHeEtiFkJEO/R9bU8UIPHuhW95Hn5Evxsxx41xNYOOJXpY4NDGb5G5aHq0A328LOJKZ2owURbiaNGzcSg7QOHVnI2hJgqWwCdj2425tIxDVw1lLxlXuf9PH+ac1dEhUE7kkuFZ0hBTzlvFAVJAskffwmym9zweFI6u12lZ4xB8OVHyWOa1j3Ybxy28sD4BmmNVVXgv6RTcyySUI5SNVQst1jHKt5foxCRHLsNzwk6Z2emne/fOek+lSb/aXCP8qUoMUi4Dr7lD2iHifoT/GnRz8FTj5sFcn7QN/n0lQdMEjIT3IXJtZXWcWVgd17hhXSpnNhE+t+zDohEi2bxwtRLpKPwLczbOHcnqu3YbAOK4TUAOmTLJrF0fKd7WUMKeC5X9mopT2rF04rfReMwfzRQE/MDDQSzlTmgkQv6mzmduB1XCaihSLZNdrCk5e8JZcNnw+jRnxdeExyYaAHKpF5dbWG8zgSzAe1mkWPSbzVoCsJwFJJH71wsCnVN92TRSWyH0Jzbv1nlKUGhuJ4fCi7AtEXTKA69V7VxaPhF6NMy6PawhGWZXeJe+iDrVAjXhnb1qbEqPCVpIv0GQYLOJBdzV6oQ8AysA7k4g3QpK1nhNYbx2I0rdDLnh4frTQYYe4NOJ3ILLNGjPHpf8nB8jIL23EhmykDDoxJHJnwXcSQVLGaZ9z0X0/81etI3x77YwFMgt8bKsEQYmn1ykasKH4vPcPX+7Qvd4LPKlGp3GxE8G525tFVyekgLjFT4z14mUnKVdEEuN5WGgm8tipNq/XjJxE0kHvBJMsXWlaVGs7ky21m1bQTuiG7HOK0WLQnelPjix4H8fek+pJZ6WjJEiptco3o2qxP9m3R3qhgG4tK13jp698Vxz8UsWBOuk63LdWxrWOEw08KL+w13X28guj0FrPDZPs+y6tq24pFLrhvw1xNTNfdgTYyOS/Ayj9w1TFKaLuhYVXO4gCL7JgEfZAoBH4GvPRBSBbzpuDkwU66TBjx3cCY0we9juEYtBq8pECW7/wtUSKAfoTMVFQ9xpE5QJ/4fQemZHstbFkWv+il4H1uIDQIxdi08ON5DZJ2j/nCwy8KObAy3+vqJCZny/BYg5We4D1Ob0+L4PoAxUrSwY9Iqol7HBCZ1sHQctPQz2a+6OFFdxYQ2WbEVBtmbrKWcp/p+55eZVakz/hQvAythiCAjtt/oU8LAVE4uFdxmUqKQWxeT+wRcVBmKlzjwfJz3WTjhP76fMi6q5SUJNWhkLa5JyNIrHuqZNC2QBFMwS1bEho/tizwvEBfV1cvNP66lJyUqWQfWkROEr3pQVuzGrxe67FcqQTC13BxioS0WqTQ057XMBArFq1Vv9b/vpT1UxfrMNBwDtSprLwJ+69LBmTZEX+lMbSNl+cav3/0/dHEW6yoA/ygF43SQtN8FIKiEh9lxGoMDJMoVt51vIDeplBuWCtU1rKqmcIlDwQEaOc1aIhu8NcQvNaQFS/w1lwVngVTxv/OqEb6ggtP23+qA1MP7LnwkeIT8vMkSfokfekp5l6iI0JfAfBtfKfo6Pfs9SHQB7OdZMr8rLtaapTD484deEnaD+G5sy6luzVmzr+6ng==
Content-Type: multipart/alternative; boundary="_000_PR0P264MB288522E1FF0688DAF2B4971E8862APR0P264MB2885FRAP_"
MIME-Version: 1.0
X-OriginatorOrg: orange.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PR0P264MB2885.FRAP264.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: a0f97a3f-b4f9-4ca5-e95e-08dda1bfa8ab
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jun 2025 10:24:29.7038 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 90c7a20a-f34b-40bf-bc48-b9253b6f5d20
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: iW5Sn6dOjDVwW5rGtX+GxWX1vAPQgQXuuvsrRXS7epWwjRtZcLXYlIQUCb/eC+LhvhV7W8MTr0U5dAu9UEV54sJ+LSJi0KqBsC74ynmJY/E=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PASP264MB4678
X-TM-AS-ERS: 10.106.160.160-127.9.0.1
X-TM-AS-SMTP: 1.0 c210cC1vdXQzNjUub3JhbmdlLmNvbQ== bW9oYW1lZC5ib3VjYWRhaXJAb 3JhbmdlLmNvbQ==
X-TMASE-Version: DDEI-5.1-9.1.1004-29226.007
X-TMASE-Result: 10--38.079900-10.000000
X-TMASE-MatchedRID: fSYce/2kgDy7REX8b2FriCbixKZRJvnJARprIm1hk23La0eANE7Nz+ch HA04zz3zfd4xuFGlTT1L3iG65EPz1Icr1PluqvvrYVRIfIQwLJfwlvzzUUaf2cqspZV+lCSLTKB +lyLMdlPEBpjowVhURxRkYSyuOM5OvnMTAcbQeTaCLLCIQ+1lwR1kSRHxj+Z5IfyQNHR2naZ1x9 TrfLzE8HIC79QvqIMft/w+sxk1xuPEuDUpPBG5saIQaDHw+1Ih9Ib/6w+1lWTTopklGADJWRzlI Yo2TUIb+MXkPU9KMAP4rtXLTwSzJRSUdrT1oRMNHU6vnrTGfsav+kNtyTw7SkyQ5fRSh265dT3y 1rDU/SlEtze1Hf2TcoDyCkt8AvqOqYH9YzLp+XuEJDKGWIkz0gA+Y0oNaxbQF4r8H5YrEqz0alA +huUQ+Vk/EVZFlSouNjyQBE3C45WuKy0zi9o1uK71lWFQP8hVEhGH3CRdKUUBqNb4Qv6Vo9WM2x 6EZ/S9XFTHo1zeSS9oApRSyQWHuUq641C9tq2xeFjFFu7pAKYE7TRD/Y9Cz46ESGgCXvgo33Nl3 elSfsph6IvLMFu5q/1x26DNmsaMnLgW0r8oQuEpwhmqFfi+OGQFd4bOnrT6PQ6XWceR2mUQKNhe bznkezQ2qz9bUWMfPKIINDj2sGXqlDpNag+h/o2sWY2AmfZdxM4n3PF3rzH4h+uI7dxXxOYs+pH Ix1njPzyfKfkc7AGB7IAeFfeaypDup3EP9BwtO/o08XsxFJh7TXnCjI8t9jWRH7TlULWGGzEMwi qHAVBCZn37VQFgvSY1tUrB4XMF2YpnUNIbrjoOxfiA/rhNoUbgTmf4sxQ0mkCGwliFomubKItl6 1J/yRqQeFbBnmmV4E9s12Gvf50E8MoXbRXBnwMG6feTLjAgY2R+Fn+Zib2rEHfaj14Zyf+K1r6Y /VHIA/3R8k/14e0=
X-TMASE-SNAP-Result: 1.821001.0001-0-1-22:0,33:0,34:0-0
X-TMASE-INERTIA: 0-0;;;;
X-TMASE-XGENCLOUD: 8ed527e1-2491-458a-af3c-2855ddd6d960-0-0-200-0
Message-ID-Hash: ZEE6SGCHHBHAOWHMDPZWUUWIJC2LCX3T
X-Message-ID-Hash: ZEE6SGCHHBHAOWHMDPZWUUWIJC2LCX3T
X-MailFrom: mohamed.boucadair@orange.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: The IESG <iesg@ietf.org>, "draft-ietf-tls-rfc8447bis@ietf.org" <draft-ietf-tls-rfc8447bis@ietf.org>, TLS Chairs <tls-chairs@ietf.org>, TLS List <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Mohamed Boucadair's Yes on draft-ietf-tls-rfc8447bis-12: (with COMMENT)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/PMRQhw1jCjFqNPAOxu6z47YTaoQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Hi Sean, Thanks for the follow-up. I also checked iddiff?url1=draft-ietf-tls-rfc8447bis-12&url2=draft-ietf-tls-rfc8447bis-13, the changes look good to me. Thank you. Cheers, Med De : Sean Turner <sean@sn3rd.com> Envoyé : mercredi 28 mai 2025 22:00 À : BOUCADAIR Mohamed INNOV/NET <mohamed.boucadair@orange.com> Cc : The IESG <iesg@ietf.org>; draft-ietf-tls-rfc8447bis@ietf.org; TLS Chairs <tls-chairs@ietf.org>; TLS List <tls@ietf.org>; Deirdre Connolly <durumcrustulum@gmail.com> Objet : Re: Mohamed Boucadair's Yes on draft-ietf-tls-rfc8447bis-12: (with COMMENT) Thanks for your careful read. I created an issue for your comments: https://github.com/tlswg/rfc8447bis/issues/85 and a PR to address them: https://github.com/tlswg/rfc8447bis/pulls/86<https://github.com/tlswg/rfc8447bis/issues/85> tl;dr: we incorporated most of your suggestions. More below. On May 18, 2025, at 07:52, Mohamed Boucadair via Datatracker <noreply@ietf.org<mailto:noreply@ietf.org>> wrote: Mohamed Boucadair has entered the following ballot position for draft-ietf-tls-rfc8447bis-12: Yes When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-tls-rfc8447bis/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Hi Joe and Sean, Thank you for the effort put into this specification. This maintenance effort is really important from an OPS standpoint. As rightfully discussed in the spec, the registry may "lag behind the most recent advances in cryptanalysis", but that risk can't be nullified especially given the process time to transition some values. Thanks to Giuseppe Fioccola for the OPSDIR review and for the authors for engaging and converging. Please find below some comments: # Meta comment I understand this is an update not a bis, but the discussion in the write-up confuses me a bit. # Updates Duplication/Updates Inheritance We have the following: CURRENT: Updates: 3749, 5077, 4680, 5246, 5705, 5878, S. Turner 6520, 7301, 8447 (if approved) sn3rd ... This document updates the following RFCs: 3749, 5077, 4680, 5246, 5705, 5878, 6520, 7301, and 8447. Except the mention of 8447 (which is justified), all other entries were already updated by 8447. Unless there are new updates in this new iteration (which I fail to tag), the other updates are already anchored in 8447 and do not to be repeated here. Did I miss something here? spt: Makes sense to me; see: https://github.com/tlswg/rfc8447bis/pull/86<https://github.com/tlswg/rfc8447bis/pull/84> # TLS registries CURRENT: This document instructs IANA to make changes to a number of the IANA registries I suggest to add pointers to these registries. This is even important, especially that the IANA registries are authoritative in this context. I had to search for those when reviewing the document. Having readily-available pointers (not only here, but also when discussing individual registries) is convenient for readers, especially that these are not in the same location, e.g., * https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml BTW, we may explicit this is about TLS registries. OLD: This document instructs IANA to make changes to a number of the IANA registries NEW: This document instructs IANA to make changes to a number of IANA TLS registries .. # Section 1: IANA Note CURRENT: | NOTE for IANA: This document specifies changes to the registry | to update the changes made in [RFC8447]. Do we expect this note to stay in the final RFC? I don't see how this is useful for readers once the doc is published as an RFC. Consider adding a note to the RFC editor to remove this. spt: Since the section headings include the names of the registries in most places, how about we make sure they all include registry and then people can use the ToC as the pointer. As for the specific change to add "TLS", the remainder of the sentence qualifies which registries; I think this would be weird: This document instructs IANA to make changes to a number of IANA TLS registries related to Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). see: https://github.com/tlswg/rfc8447bis/pull/84 # Section 1: List of changes CURRENT: This specification updates the "Recommended" column in TLS registries to define a third value "D" for items that are discouraged. Should we also mention the other change about the comment column? At least the abstract/intro should be in sync on the list of changes. spt: Sure; see: https://github.com/tlswg/rfc8447bis/pull/86<https://github.com/tlswg/rfc8447bis/pull/84> # Section 3: Adding "Recommended" Column This update is not about adding a new column, but updating permitted values. I would update the title to reflect the update. You may consider, for example: OLD: Adding "Recommended" Column NEW: Updating Permitted Value in "Recommended" Column spt: Sure; see: https://github.com/tlswg/rfc8447bis/pull/86<https://github.com/tlswg/rfc8447bis/pull/84> # Section 3: Check on "Y"/"N" Value and applicability of a mechanism RFC8447 used to have: "This table has been generated by marking Standards Track RFCs as "Y" and all others as "N".". That guidance seems "mechanical" to me. This document seems to have a slightly modified guidance as it says: CURRENT: Y: Indicates that the IETF has consensus that the item is RECOMMENDED. This only means that the associated mechanism is fit for the purpose for which it was defined. Careful reading of the documentation for the mechanism is necessary to understand the applicability of that mechanism. The IETF could recommend mechanisms that have limited applicability, but will provide applicability statements that describe any limitations of the mechanism or necessary constraints on its use. Does this mean that all "Y" have been checked based on "Careful reading .." and their applicability is called? spt: We went through every one with the WG. I'm asking this question, especially that we also have the following under "N": CURRENT: The IETF might have consensus to leave an items marked as "N" on the basis of its having limited applicability or usage constraints. # Section 3: Why Implementers only? What about those who will make use of a mechanism? ## Consider mention users as well CURRENT: Implementers SHOULD consult the ... Any reason why users are not listed here? The wording in the Security Section is better IMO as it covers both: "Implementers and users need to check that..." spt: Sure; see: https://github.com/tlswg/rfc8447bis/pull/86<https://github.com/tlswg/rfc8447bis/pull/84> ## I see the intent here for the use of normative language "SHOULD", but we can't actually enforce this. spt: Correct. ## Explicit "it" + avoid confusion about the use of normative language Maybe: OLD: conditions under which it SHOULD NOT or MUST NOT be used. NEW: conditions under which an item "SHOULD NOT" or "MUST NOT" be used. spt: Eh, I can see the flip side where people like does that mean something different when it's quoted. But, we fixed the "it" problem. See: https://github.com/tlswg/rfc8447bis/pull/86<https://github.com/tlswg/rfc8447bis/pull/84> # Section 3.1: picky CURRENT: For the registries discussed in the subsequent sections this note is updated with a sentence describing the "D" value as follows: Agree. The wording of the first sentence is also tweaked, but the meaning is same as in the registry, though. IANA registry has the following: If an item is not marked as "Recommended", it does not necessarily mean that it is flawed; rather, it indicates that the item either has not been through the IETF consensus process, has limited applicability, or is intended only for specific use cases. spt: We want to keep the "N" in there and we'd like to keep it parallel to the 2nd sentence. # IESG Approval is also covered by 8126! There many occurrences in the doc where 8126 is systematically provided as reference to Standard action only. Please consider updating all these occurrences as follows: OLD: Setting a value to "Y" or "D" or transitioning the value from "Y" or "D" in the "Recommended" column requires IETF Standards Action [RFC8126] or IESG Approval. NEW: Setting a value to "Y" or "D" or transitioning the value from "Y" or "D" in the "Recommended" column requires IETF Standards Action (Section 4.9 of [RFC8126]) or IESG Approval (Section 4.10 of [RFC8126]). spt: We will move the reference to the end of the sentences; see: https://github.com/tlswg/rfc8447bis/pull/86<https://github.com/tlswg/rfc8447bis/pull/84> # "IANA SHALL ..." constructs Like other uses in an IANA consideration sections, the normative language is not justified to request an action. Please consider making these changes (many occurrences) OLD: IANA SHALL NEW: IANA is requested OLD: A reference to this document SHALL be added to these entries. NEW: IANA is requested to add a reference to this document for these entries. spt: Sure; see https://github.com/tlswg/rfc8447bis/pull/86. I will note we did this in the pre-RFC 8447 specification and it was all fine. # Section 5: nits OLD: Cipher suites marked as anon do not provide any authentication and are vulnerable to man-in-the-middle attacks and are deprecated NEW: Ciphersuites marked as anon do not provide any authentication and are vulnerable to on-path attacks and are deprecated spt: Sure; see https://github.com/tlswg/rfc8447bis/pull/86. # Section 8: nit OLD: the the TLS Certificate Types NEW: the TLS Certificate Types # Section 9: use the IANA registry name OLD: TLS HashAlgorithm Registry registry NEW: TLS HashAlgorithm registry spt: Sure; see https://github.com/tlswg/rfc8447bis/pull/86. # Section 10: nit OLD: SignatureAlgorithm registry registry NEW: SignatureAlgorithm registry spt: Sure; see https://github.com/tlswg/rfc8447bis/pull/86. # Section 11: Use the IANA registry name (several occurrences to fix) OLD: TLS ClientCertificateType Identifier registry NEW: TLS ClientCertificateType Identifiers registry spt: Sure; see https://github.com/tlswg/rfc8447bis/pull/86. # Section 13: Lack of recommended note, intentional? Is it OK that there is no note on the recommended column in this IANA registry, while a recommended column is present? is the new note in 3.1 apply here as well? spt: Whoops we need to add that; see https://github.com/tlswg/rfc8447bis/pull/86. # Section 15: standard CURRENT: The intent of the Specification Required standard What does this mean? Do we meant registration policy? Please reword. Thanks. spt: Will replace "standard" with "choice"; see https://github.com/tlswg/rfc8447bis/pull/86. # Section 16: WG CURRENT: The change to Specification Required from IETF Review lowers the amount of review provided by the WG for cipher suites and supported groups. This change reflects reality in that the WG essentially provided no cryptographic review of the cipher suites or supported groups. This was especially true of national cipher suites. Which WG? I guess you mean "TLS WG". This is confusing especially that the document reflect an IETF consensus, not a specific WG. spt: We are providing the history of why the change was made. Maybe we could do: The change to Specification Required from IETF Review lowers the amount of review provided for cipher suites and supported groups. This change reflects reality in that the TLS WG essentially provided no cryptographic review of the cipher suites or supported groups. This was especially true of national cipher suites. See https://github.com/tlswg/rfc8447bis/pull/86. Cheers, spt ____________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
- [TLS] Mohamed Boucadair's Yes on draft-ietf-tls-r… Mohamed Boucadair via Datatracker
- [TLS] Re: Mohamed Boucadair's Yes on draft-ietf-t… Sean Turner
- [TLS] Re: Mohamed Boucadair's Yes on draft-ietf-t… mohamed.boucadair