IETF Logo Mail Archive

Re: [TLS] AD Review of draft-ietf-tls-tls13

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 22 May 2017 17:17 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 271A8129B9E for <tls@ietfa.amsl.com>; Mon, 22 May 2017 10:17:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lckakExZJCoO for <tls@ietfa.amsl.com>; Mon, 22 May 2017 10:17:20 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0DA2126C23 for <tls@ietf.org>; Mon, 22 May 2017 10:17:19 -0700 (PDT)
Received: from vpro.lan (cpe-74-71-8-253.nyc.res.rr.com [74.71.8.253]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id 145D27A32F1 for <tls@ietf.org>; Mon, 22 May 2017 17:17:19 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <f262447d-5bd1-68c8-dac6-ad2224733235@akamai.com>
Date: Mon, 22 May 2017 13:17:18 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: TLS WG <tls@ietf.org>
Message-Id: <35E448DD-7F74-4563-9707-DFAB66125FAA@dukhovni.org>
References: <CAPZZOTgizE2n06V9wEtARFCXB7FP_eikW-K1k67bZG11kNhSAw@mail.gmail.com> <44AED5C2-B21C-442A-8412-9134D1C10BCD@dukhovni.org> <201705192143.19490.davemgarrett@gmail.com> <20170520054117.GM10188@localhost> <80AB5C55-41BA-471E-A55A-86E98299B652@dukhovni.org> <f262447d-5bd1-68c8-dac6-ad2224733235@akamai.com>
To: TLS WG <tls@ietf.org>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/o7f0h6_beaAZLx8fR8RtRVX3rbc>
Subject: Re: [TLS] AD Review of draft-ietf-tls-tls13
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2017 17:17:21 -0000

> On May 22, 2017, at 1:06 PM, Benjamin Kaduk <bkaduk@akamai.com> wrote:
> 
> Given the apparent strength of opinion against removing these supposed restrictions entirely, it seems like this text (or something similar) is probably the best we can do.

Perhaps so, but I saw only one strong objection from Dave Garrett.  Is that
sufficient for "apparent strength of opinion"?  Removal is simpler, and it
sure does not look like people are determined to continue to support MD5
and SHA-1 in certificates, but would be willing to relent if TLS 1.3 told
them not to.  Isn't the language in question tackling a non-problem?

That said, if the only way to rough consensus is a properly qualified
requirement to not rely on such certificate signatures for authentication,
(rather than must hang up with a fatal alert when you see these, must not
send these, ...) then I'll go along with a compromise.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email