Re: [TLS] uta-tls-bcp-02 thoughts (was: NULL cipher to become a MUST NOT in UTA BCP)
"Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu> Thu, 04 September 2014 15:58 UTC
Return-Path: <prvs=43240d543b=uri@ll.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAA741A048E for <tls@ietfa.amsl.com>; Thu, 4 Sep 2014 08:58:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.866
X-Spam-Level:
X-Spam-Status: No, score=-4.866 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.668, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RG_hHucju-Dv for <tls@ietfa.amsl.com>; Thu, 4 Sep 2014 08:58:46 -0700 (PDT)
Received: from mx2.ll.mit.edu (MX2.LL.MIT.EDU [129.55.12.46]) by ietfa.amsl.com (Postfix) with ESMTP id 4D0181A898C for <tls@ietf.org>; Thu, 4 Sep 2014 08:58:37 -0700 (PDT)
Received: from LLE2K10-HUB01.mitll.ad.local (LLE2K10-HUB01.mitll.ad.local) by mx2.ll.mit.edu (unknown) with ESMTP id s84Fw6DT031746; Thu, 4 Sep 2014 11:58:35 -0400
From: "Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] uta-tls-bcp-02 thoughts (was: NULL cipher to become a MUST NOT in UTA BCP)
Thread-Index: AQHPyAOfhY9yOKVSV0esrbBtR0n385vxIcGA
Date: Thu, 04 Sep 2014 15:57:55 +0000
Message-ID: <D02E021A.19949%uri@ll.mit.edu>
References: <54048985.1020005@net.in.tum.de> <CAMeZVwtQ09B6Ero2C=75m5JdAYnEAENNcESd_gg_Ro2UhA9dyA@mail.gmail.com> <3EB754B7-F6B2-4207-A2F0-E61F32EE1E40@ll.mit.edu> <54075016.6040406@net.in.tum.de> <20140903174958.GF14392@mournblade.imrryr.org> <5407574B.5060708@net.in.tum.de> <9120B6EE-F023-4724-9116-A169993F58E8@ll.mit.edu> <CAMeZVwu1xaAmxUBp5zO1YXCEUSnr=6FiKr8A_WfVUAzLZBb8mA@mail.gmail.com> <20140904054642.GV14392@mournblade.imrryr.org>
In-Reply-To: <20140904054642.GV14392@mournblade.imrryr.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.3.140616
x-originating-ip: [172.25.177.187]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3492676633_35324046"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.12.52, 1.0.27, 0.0.0000 definitions=2014-09-04_03:2014-09-04,2014-09-04,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1409040145
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/qdhyR9V1QH2T7zoQ0gN_JGF8PqY
Cc: "barryleiba@computer.org" <barryleiba@computer.org>
Subject: Re: [TLS] uta-tls-bcp-02 thoughts (was: NULL cipher to become a MUST NOT in UTA BCP)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Sep 2014 15:58:49 -0000
YES to what Viktor said. And I think this draft shows systemic problems. Instead of trying (and IMHO failing) to define configurations for some questionable “broad, generic” etc., it would be FAR better to define SPECIFIC cases where your this document’s recommendations DO apply. IMHO this document will NOT be useful otherwise, and SHOULD NOT be published without such a change. -- Regards, Uri Blumenthal Voice: (781) 981-1638 On 9/4/14, 1:46 , "Viktor Dukhovni" <ietf-dane@dukhovni.org> wrote: >On Thu, Sep 04, 2014 at 01:39:15PM +0900, Yutaka OIWA wrote: > >> > What you probably want to specify here is ?SHOULD NOT?. >> >> In my opinion, it shall absolutely be "MUST NOT" for >> "generic use cases" for which the document is applicable. >> >> But it's UTA BCP document, and it's very important to >> say "MUST NOT for general applications" here. > >I'd like to respond to the UTA draft more broadly, please feel free >to forward or not to the UTA list (sorry, no cycles to actively >engage in yet another IETF list). > >I am perplexed by the following from the draft's introduction: > > The recommendations herein take into consideration the security of > various mechanisms, their technical maturity and interoperability, > and their prevalence in implementations at the time of writing. > These recommendations apply to both TLS and DTLS. TLS 1.3, when it > is standardized and deployed in the field, should resolve the current > vulnerabilities while providing significantly better functionality, > and will very likely obsolete this document. > >If the document provides only "general application" guidance, that >does not cover all TLS use-cases, then likely TLS 1.3 will include >features that fall outside the general use-cases, and thus the >document would continue to provide relevant general-case guidelines >even with TLS 1.3 widely deployed. > >The introduction then goes on to state: > > These are minimum recommendations for the general use of TLS. > Individual specifications may have stricter requirements related to > one or more aspects of the protocol, based on their particular > circumstances. When that is the case, implementers MUST adhere to > those stricter requirements. > >What about specifications that might call for less strict requirements? > >In section 3.5 I am puzzled by the following text: > > If TLS session resumption is used, care ought to be taken to do so > safely. In particular, the resumption information (either session > IDs [RFC5246] or session tickets [RFC5077]) MUST be authenticated and > encrypted to prevent modification or eavesdropping by an attacker. > >I am entirely unaware of the practice of encryption and authentication >of session IDs. What is this about? Even session tickets are not >"authenticated", rather they might be vended by a server as part >of an authenticated session. Returning to session IDs, these are just >server-side nonces, what does it mean that they should be authenticated, >and are they in fact (with TLS <= 1.2) even encrypted? > >The recommendations for session ticket key rotation are I think >too meek. They seem to be predicated on the notion that such >rotation is some sort of externally managed task, automated via >something akin to a cron job, where weekly rotation is about the >right granularity. I'd like to suggest that session ticket key >rotation SHOULD be a fully automated intrinsic component of the >server application and server keys should not last much longer than >sessions, a matter of minutes or hours not days. Key rotation >should happen transparently while the application is running, >without requiring restarts, and ideally without ever explicitly >writing keys to persistent storage. Yes, this would be an aspirational >part of the BCP, as few applications have this capability at present. > >For section 4.1, in light of the scope of section 4, the simplest >solution is to suppress NULL cipher suites when any non-NULL cipher >suites are configured. This avoids accidents, without prohibiting >deliberate NULL-only configurations. > >For SMTP, RC4-SHA and RC4-MD5 is the only cipher suites that >interoperate with Exchange 2003 servers, which are still handling >mail for a small, but non-negligible number of domains. In fact >these same servers only work if RC4 is among the first 64 cipher >suites sent by the client, but with TLS 1.2, and all its new cipher >suites that's often not the case. Are we really better off >prohibiting RC4? Would it not suffice for servers to stop preferring >RC4 (as was common with many HTTPS servers), and then stronger >choices are automatically selected except with sites that only >support RC4? > >It would be more helpful (and more interoperable) to specify a >short list of "must implement" cipher suites, which SHOULD be >preferred over the legacy ones, than to try to prohibit weaker >cipher suites that are required for interoperability with older >systems. Thus also MUST NOT or SHOULD NOT with EXPORT and 3DES >cipher suites is less useful than promoting more secure alternatives. > >The draft in fact recommends four best practice cipher suites which >should be preferred over the NOT RECOMMENDED weaker options. > >In section 6.1, the draft refers hostname verification to 6125, >but 6125 contains little useful guidance for application protocols >in which the server hostname is obtained indirectly via typically >unauthenticated DNS SRV or MX records. In such protocols, the >server name is not a viable reference identity. Some mention of >the issue may be appropriate. > > >http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-12#section-1.3.2 > >-- > Viktor. > >_______________________________________________ >TLS mailing list >TLS@ietf.org >https://www.ietf.org/mailman/listinfo/tls
- [TLS] NULL cipher to become a MUST NOT in UTA BCP Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Viktor Dukhovni
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Paul Hoffman
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Salz, Rich
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Viktor Dukhovni
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Viktor Dukhovni
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Viktor Dukhovni
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Paul Lambert
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Bodo Moeller
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Nico Williams
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Nikos Mavrogiannopoulos
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Yutaka OIWA
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Viktor Dukhovni
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Viktor Dukhovni
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Geoffrey Keating
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Nico Williams
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Nico Williams
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Nico Williams
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Yutaka OIWA
- [TLS] uta-tls-bcp-02 thoughts (was: NULL cipher t… Viktor Dukhovni
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Bodo Moeller
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Yutaka OIWA
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Nico Williams
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] uta-tls-bcp-02 thoughts (was: NULL ciph… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] uta-tls-bcp-02 thoughts (was: NULL ciph… Nico Williams
- Re: [TLS] uta-tls-bcp-02 thoughts (was: NULL ciph… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] uta-tls-bcp-02 thoughts Ralph Holz
- Re: [TLS] uta-tls-bcp-02 thoughts Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] uta-tls-bcp-02 thoughts Ralph Holz
- Re: [TLS] uta-tls-bcp-02 thoughts (was: NULL ciph… Barry Leiba
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Bill Frantz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Daniel Kahn Gillmor
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Bodo Moeller
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Manuel Pégourié-Gonnard
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Viktor Dukhovni
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Manuel Pégourié-Gonnard
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ilari Liusvaara
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Nico Williams
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Bodo Moeller
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Viktor Dukhovni