[TLS] Alexey Melnikov's No Objection on draft-ietf-tls-iana-registry-updates-04: (with COMMENT)

Alexey Melnikov <aamelnikov@fastmail.fm> Tue, 03 April 2018 16:56 UTC

Return-Path: <aamelnikov@fastmail.fm>
X-Original-To: tls@ietf.org
Delivered-To: tls@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 75D63126BFD; Tue, 3 Apr 2018 09:56:16 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Alexey Melnikov <aamelnikov@fastmail.fm>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-tls-iana-registry-updates@ietf.org, Stephen Farrell <stephen.farrell@cs.tcd.ie>, tls-chairs@ietf.org, stephen.farrell@cs.tcd.ie, tls@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.77.1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <152277457647.22702.669514304265362603.idtracker@ietfa.amsl.com>
Date: Tue, 03 Apr 2018 09:56:16 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/x42ngOvUAuhcYeCBFOkq5df7Jl0>
Subject: [TLS] Alexey Melnikov's No Objection on draft-ietf-tls-iana-registry-updates-04: (with COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Apr 2018 16:56:17 -0000

Alexey Melnikov has entered the following ballot position for
draft-ietf-tls-iana-registry-updates-04: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-tls-iana-registry-updates/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

I support the idea behind this document. I have a few minor issues which I
would like to discuss before recommending its approval:

1) In several places:

"IESG action is REQUIRED for a Yes->No transition."

Firstly, this should be "IESG Approval", not "IESG action" (according to RFC
8126).

Secondly, are you saying that this is the ONLY way to transition from Yes to
No? Surely, Standards Action should also be allowed in case there is no rush?
Besides IESG is likely to prefer a document explaining the transition anyway.

2) In Section 15:

15.  TLS Certificate Types

   Experience has shown that the IETF Consensus registry policy for TLS
   Certificate Types is too strict.  Based on WG consensus, the decision
   was taken to change registration policy to Specification Required
   [RFC8126] while reserving a small part of the code space for
   experimental and private use.  Therefore, IANA [SHALL add/has added]
   a "Recommended" column to the registry.  X.509 and Raw Public Key are
   "Yes".  All others are "No".  In order to register an extension with
   the value "Yes", a Standards Track document [RFC8126] is REQUIRED.

The above sentence.

   Future Certificate Types MUST define the value of this column.  A
   Standards Track document [RFC8126] is REQUIRED to register an entry
   with the value "Yes".

And this is just repeating the above sentence in a different way.

   IESG action is REQUIRED for a Yes->No
   transition.

3) In Section 17:

   Despite the fact that the HashAlgorithm and SignatureAlgorithm
   registries are orphaned, it is still import to warn implementers of

import --> important

   pre-TLS1.3 implementations about the dangers of blinding implementing

blinding --> blindly

   cryptographic algorithms.

And later in the same section:

   WARNING:  Cryptographic algorithms and parameters will be broken or
      weakened over time.  Blindly implementing cipher suites listed

cipher suites --> hash functions/signatures?

      here is not advised.  Implementers and users need to check that
      the cryptographic algorithms listed continue to provide the
      expected level of security.