Proposed resolution for security issues with draft-ietf-tsvwg-iana-ports-08
Paul Hoffman <paul.hoffman@vpnc.org> Mon, 15 November 2010 19:43 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 416D23A6D0F for <tsvwg@core3.amsl.com>; Mon, 15 Nov 2010 11:43:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.991
X-Spam-Level:
X-Spam-Status: No, score=-99.991 tagged_above=-999 required=5 tests=[AWL=-0.545, BAYES_50=0.001, HELO_MISMATCH_COM=0.553, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t4sBw50JEN-V for <tsvwg@core3.amsl.com>; Mon, 15 Nov 2010 11:43:45 -0800 (PST)
Received: from hoffman.proper.com (Hoffman.Proper.COM [207.182.41.81]) by core3.amsl.com (Postfix) with ESMTP id 896573A6C05 for <tsvwg@ietf.org>; Mon, 15 Nov 2010 11:43:45 -0800 (PST)
Received: from [10.20.30.150] (sn87.proper.com [75.101.18.87]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id oAFJiP5U082477 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <tsvwg@ietf.org>; Mon, 15 Nov 2010 12:44:27 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p06240824c9073b8e611a@[10.20.30.150]>
Date: Mon, 15 Nov 2010 11:44:24 -0800
To: tsvwg@ietf.org
From: Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Proposed resolution for security issues with draft-ietf-tsvwg-iana-ports-08
Content-Type: text/plain; charset="us-ascii"
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Nov 2010 19:43:46 -0000
As this list and the TLS has seen, there is a wide variety of views on how to deal with fallback-to-insecure in protocols. I believe that the security community has no consensus on what this means, much less how to do it. My earlier proposal (continue to allow registration of two ports) was popular with some, unpopular with others; similarly, so was "force all protocols to use one port". Therefore, I retract my proposal to allow two-port registrations for fallback-to-insecure. However, I still recommend some changes to the text to reflect the view that STARTTLS is not the only way to have such a feature on one port. This will be an interesting IETF Last Call discussion. I propose the following changes to draft-ietf-tsvwg-iana-ports: Section 7.2 current: o IANA will allocate only one assigned port number for all versions of a service (e.g., running the service with or without a security mechanism, or for updated variants of a service) Section 7.2 current: o IANA will normally allocate only one assigned port number for all versions of a service (e.g., running the service with or without a security mechanism, or for updated variants of a service). This policy can be overridden by the expert reviewer. Section 7.2 current: Further, previous separation of protocol variants based on security capabilities (e.g., HTTP on TCP port 80 vs. HTTPS on TCP port 443) is not recommended for new protocols, because all new protocols should be security-capable and capable of negotiating the use of security in-band. Section 7.2 proposed: Further, previous separation of protocol variants based on security capabilities (e.g., HTTP on TCP port 80 vs. HTTPS on TCP port 443) is not recommended for new protocols, because all new protocols should be security-capable. --Paul Hoffman, Director --VPN Consortium
- Proposed resolution for security issues with draf… Paul Hoffman
- Re: Proposed resolution for security issues with … Magnus Westerlund
- Re: Proposed resolution for security issues with … Eliot Lear