[TLS] Fwd: Stephen Farrell's Discuss on draft-ietf-tsvwg-sctp-dtls-encaps-08: (with DISCUSS and COMMENT)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 19 January 2015 20:56 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A00AE1B2C63 for <tls@ietfa.amsl.com>; Mon, 19 Jan 2015 12:56:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ee3NcQ7FpwyS for <tls@ietfa.amsl.com>; Mon, 19 Jan 2015 12:56:45 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 197F91B2C48 for <tls@ietf.org>; Mon, 19 Jan 2015 12:56:45 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id E29C3BEE0 for <tls@ietf.org>; Mon, 19 Jan 2015 20:56:42 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O5KVt5S3L9VY for <tls@ietf.org>; Mon, 19 Jan 2015 20:56:41 +0000 (GMT)
Received: from [10.87.48.73] (unknown [86.46.19.240]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 0F652BDFC for <tls@ietf.org>; Mon, 19 Jan 2015 20:56:41 +0000 (GMT)
Message-ID: <54BD6F88.3080703@cs.tcd.ie>
Date: Mon, 19 Jan 2015 20:56:40 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: "tls@ietf.org" <tls@ietf.org>
References: <20150119204811.4569.95820.idtracker@ietfa.amsl.com>
In-Reply-To: <20150119204811.4569.95820.idtracker@ietfa.amsl.com>
X-Forwarded-Message-Id: <20150119204811.4569.95820.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/tnZUEbhf2752N7AQrQi66cFBuHs>
Subject: [TLS] Fwd: Stephen Farrell's Discuss on draft-ietf-tsvwg-sctp-dtls-encaps-08: (with DISCUSS and COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Stephen Farrell <Stephen.Farrell@cs.tcd.ie>
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jan 2015 20:56:49 -0000
Hiya, Please see my DISCUSS on a document below - the interesting question relates to which version of DTLS to mandate for WebRTC in general, as I think once this document is done, others will just copy the relevant text. I don't think there are any major security issues involved, but that this is more to do with implementations. But I'd welcome any opinions or information about any important security differences or about whether or not current implementations mean DTLS1.2 should be ok to mandate here today or not. I've set reply-to as my address and not the TLS list as I don't think the TLS WG need to debate this much and I'm really just checking, so please don't bother the WG list unless there's a real point of interest for the WG. And to repeat: I'm just checking more thoroughly than usual on this one since this will I think set a precedent for WebRTC. Feedback is also needed by this Thursday 22nd to be useful. Sorry about that but thanks in advance if you do manage to send some:-) Thanks, S. -------- Forwarded Message -------- Subject: Stephen Farrell's Discuss on draft-ietf-tsvwg-sctp-dtls-encaps-08: (with DISCUSS and COMMENT) Date: Mon, 19 Jan 2015 12:48:11 -0800 From: Stephen Farrell <stephen.farrell@cs.tcd.ie> To: The IESG <iesg@ietf.org> CC: Gorry Fairhurst <gorry@erg.abdn.ac.uk> Stephen Farrell has entered the following ballot position for draft-ietf-tsvwg-sctp-dtls-encaps-08: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: http://datatracker.ietf.org/doc/draft-ietf-tsvwg-sctp-dtls-encaps/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- I'll clear once we've checked on this. Section 5 says DTLS1.0 (from 2006) is MTI and DTLS1.2 (2012) is a SHOULD. I could imagine that being reasonable when DTLS1.2 was newish, say when this work was getting started 2 years ago, but now a couple of years have passed, it might well be just fine to require DTLS1.2 - a lot has happened since and TLS1.2 deployment is now far ahead of where it was in 2012, and most specs have tended to include text like this because some implementers only had the older TLS version. So the DISCUSS is - is the 9 year old RFC still needed as MTI - can we not just say to use 1.2 now? (Note: since this is sort-of a WebRTC spec, I think it's worth quickly re-visiting this question now to be sure we're taking the right approach, as the answer we pick here is quite likely to be followed by other WebRTC docs over the next year or so. I think this is the first relevant WebRTC protocol spec with this bit of text isn't it? Apologies to the authors of this one for landing the discuss on them:-) ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- - Figure 1: Couldn't ICE/UDP be somewhat confusing for someone unaware that ICE is more of an algorithm than a wire protocol? Might be nice to clarify that here in the intro. (If you want to be nice, if you don't that's ok too and can be the right decision.) - section 3: Isn't "complete SCTP packet" a teeny bit ambiguous? It could mean including the IP and other lower headers but I guess you do not. But that's a nit since it's probably clear enough that you don't put an IP or layer 2 header into the DTLS payload:-) - Given heartbleed, and the use here of RFC6520 I think some note of that famous implementation bug would be wise. Just to a pointer to how to not have that problem. But it's not a protocol bug so I'm not trying to insist, i.e. no need for us to argue the toss on this:-) - I'm also wondering if the text here on 6520 is sufficiently clear given this week's discussion of that on the rtcweb list. (I'm not on tsvwg@ so would appreciate an update on how the thread [1] pans out on the tsvwg list before we approve this.) [1] https://www.ietf.org/mail-archive/web/rtcweb/current/msg14069.html
- [TLS] Fwd: Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [TLS] Fwd: Stephen Farrell's Discuss on draft… Stephen Farrell
- Re: [TLS] Fwd: Stephen Farrell's Discuss on draft… Bjoern Hoehrmann
- Re: [TLS] Fwd: Stephen Farrell's Discuss on draft… Martin Thomson