Re: [TLS] Fwd: New Version Notification for draft-sheffer-tls-bcp-00.txt

Yaron Sheffer <yaronf.ietf@gmail.com> Mon, 09 September 2013 20:07 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 280F821F9D31 for <tls@ietfa.amsl.com>; Mon, 9 Sep 2013 13:07:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YTyG6mFFMa5i for <tls@ietfa.amsl.com>; Mon, 9 Sep 2013 13:07:05 -0700 (PDT)
Received: from mail-wg0-x231.google.com (mail-wg0-x231.google.com [IPv6:2a00:1450:400c:c00::231]) by ietfa.amsl.com (Postfix) with ESMTP id B035C21F9BC1 for <tls@ietf.org>; Mon, 9 Sep 2013 13:06:34 -0700 (PDT)
Received: by mail-wg0-f49.google.com with SMTP id l18so5634315wgh.28 for <tls@ietf.org>; Mon, 09 Sep 2013 13:06:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=jAFiGThvFsGV3RR9kE1b5Dd0GGJxz7PSfakJyBQZ0sY=; b=ibnvFsnU8kd+Z0+vqG9CIBtxUEHT3QjfqI+ByP0z83BkI9pnLlgI8jYIN0bcivxyzy 65cBdeZ++iIw8/GKJeY8OWaEJTpEbeAOLrWI8J748dO7WnNBBifKAjIErNSdYO3U8nmC eV/jzHdztzflppK7jpkZtoXDyYXQskwmWiKyr5WfsyENpk3h7WAN+l9dwj9Y3NxilDn8 QaXyxMzAiRBsijLFptFnC2sNgO9zlx3qaoTky73wq5bchg4OqGs1y305Fiy7nMoAcf+w clXBR7C+nydK+OhvceDxchVv+FL6nIXdHR8MXRfoeHuQPeTYed4VElOe0jPwji+1M5KS bkyw==
X-Received: by 10.180.90.19 with SMTP id bs19mr9772379wib.15.1378757173812; Mon, 09 Sep 2013 13:06:13 -0700 (PDT)
Received: from [10.0.0.8] ([109.65.190.101]) by mx.google.com with ESMTPSA id b13sm20203988wic.9.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 09 Sep 2013 13:06:13 -0700 (PDT)
Message-ID: <522E2A31.7090108@gmail.com>
Date: Mon, 09 Sep 2013 23:06:09 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130803 Thunderbird/17.0.8
MIME-Version: 1.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <20130907224638.32356.96972.idtracker@ietfa.amsl.com> <522C3497.9020301@gmail.com> <522DE4D2.4020403@cs.tcd.ie>
In-Reply-To: <522DE4D2.4020403@cs.tcd.ie>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] Fwd: New Version Notification for draft-sheffer-tls-bcp-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Sep 2013 20:07:09 -0000

Hi Stephen,

thanks for your review. Please see comments inline.

	Yaron

On 09/09/2013 06:10 PM, Stephen Farrell wrote:
>
> Hi Yaron,
>
> Thanks for doing this. I hope the WG adopt this and
> process it quickly.

So do I. This document will become way more valuable if the WG adopts it.

>
> A few comments:
>
> 1) Given recent news, I think section 2 should describe why
> PFS is a good thing and should say a bit about how server
> private keys can be exposed (e.g. someone hacks into
> server and copies a private key file, or gets keys from
> a decommissioned server), and the consequences that flow
> if non-PFS ciphersuites are used.

Agree.

>
> 2) I think an appendix or section that shows how to configure
> a server to prefer whatever ciphersuite configurations end
> up as recommended would be very valuable. I realise that that
> would be server specific but it should be easy enough to get
> for the most popular server or the two most popular. While
> that information is already available on the web, and will
> go out of date, its finicky stuff so it'd be good to make
> all this easier for a site admin who reads the RFC in
> the next couple of years.
>

I'm not crazy about including Apache directives in an RFC. More 
importantly, I believe this is more about the client offering the right 
ciphersuite in a high enough place than about the server, which normally 
must support any client that comes along.

> 3) Similarly, saying how to turn off ciphersuites that you
> don't want and which those are might be useful.

This is a security vs. inclusiveness tradeoff. Even if we tell people to 
turn off RC4 on the server, they won't.

>
> 4) I also think it'd be good to give recommendations for
> older versions of TLS (and maybe SSL) that are still
> widely deployed, even though TLS 1.2 will have better
> options and the overall recommendation is to use a
> 1.2 ciphersuite.

I wish I knew what to recommend for <1.2. Any ideas?

>
> 5) I agree with the point raised by Patrick that some
> guidance about reasonable key lengths/strengths would
> be good where its needed. I'd be ok with that being in
> the non-normative bit where you show how to configure
> stuff and/or in the security considerations.

Agree. My current thinking, based on today's discussion, is 2048 bits 
for both DH and RSA.

>
> Some text related to a number of the above points can be
> found via the links in a mail that Patrick Pelletier [1]
> sent to the perpass list.
>
> Cheers,
> S.
>
> [1] http://www.ietf.org/mail-archive/web/perpass/current/msg00062.html
>
>
> On 09/08/2013 09:25 AM, Yaron Sheffer wrote:
>> This is an early version of my proposal for a BCP-like document, to
>> inform the industry on what can be done with existing implementations,
>> while TLS 1.3 is still not ready.
>>
>> I would appreciate your comments of course. Specifically,
>> I would like to fill in the Implementation Status table (Sec. 5) and
>> would be glad to receive solid information (dates, planned dates,
>> version numbers) from implementers.
>>
>> Thanks,
>>      Yaron
>>
>> -------- Original Message --------
>> Subject: New Version Notification for draft-sheffer-tls-bcp-00.txt
>> Date: Sat, 07 Sep 2013 15:46:38 -0700
>> From: internet-drafts@ietf.org
>> To: Yaron Sheffer <yaronf.ietf@gmail.com>
>>
>>
>> A new version of I-D, draft-sheffer-tls-bcp-00.txt
>> has been successfully submitted by Yaron Sheffer and posted to the
>> IETF repository.
>>
>> Filename:     draft-sheffer-tls-bcp
>> Revision:     00
>> Title:         Recommendations for Secure Use of TLS and DTLS
>> Creation date:     2013-09-08
>> Group:         Individual Submission
>> Number of pages: 8
>> URL: http://www.ietf.org/internet-drafts/draft-sheffer-tls-bcp-00.txt
>> Status:          http://datatracker.ietf.org/doc/draft-sheffer-tls-bcp
>> Htmlized:        http://tools.ietf.org/html/draft-sheffer-tls-bcp-00
>>
>>
>> Abstract:
>>     Over the last few years there have been several serious attacks on
>>     TLS, including attacks on its most commonly used ciphers and modes of
>>     operation.  This document offers recommendations on securely using
>>     the TLS and DTLS protocols, given existing standards and
>>     implementations.
>>
>>
>>
>>
>>
>> Please note that it may take a couple of minutes from the time of
>> submission
>> until the htmlized version and diff are available at tools.ietf.org.
>>
>> The IETF Secretariat
>>
>>
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>