IETF Logo Mail Archive

Re: [Uta] Robert Wilton's Discuss on draft-ietf-uta-rfc7525bis-09: (with DISCUSS and COMMENT)

"Rob Wilton (rwilton)" <rwilton@cisco.com> Mon, 18 July 2022 17:17 UTC

Return-Path: <rwilton@cisco.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0885FC13C535; Mon, 18 Jul 2022 10:17:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.604
X-Spam-Level:
X-Spam-Status: No, score=-14.604 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=WHKAUHVH; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=pgMuaICq
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pDwFyJpSHsyo; Mon, 18 Jul 2022 10:16:56 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDD59C13C51E; Mon, 18 Jul 2022 10:16:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=37389; q=dns/txt; s=iport; t=1658164616; x=1659374216; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=Af+ygczkYp2G096kJv7LdznvK2P40OL3BteFY8sfgv8=; b=WHKAUHVHgAHKigiVvo/1qOjgfFZ6vsJqGv1FRa6FaGxOZ9oDVxueqVkk CNpv+Yj84A5IfhP9Kv9YwH+2JlPLyj5VW35Nhr0HbeueXQkb9xzpdj5H6 TiiczPS1JLceEGYofFqEdc7N+CJ5d9IEOa6KczjdPIdt31jv8TFeQvMmW Y=;
X-IPAS-Result: A0ARAABilNVimIgNJK1aHAEBAQEBAQcBARIBAQQEAQFAgTsHAQELAYEgMSoofwJZOkWIGgOEUV+FC4MCA5tLgSwUgREDVAsBAQENAQE3CwQBAYUGAoUOAiU0CQ4BAgQBAQEBAwIDAQEBAQEBAwEBBQEBAQIBBwQUAQEBAQEBAQEJFAcGDAUOECeFaA2GQgEBAQECARIbEwEBLgkBBAsCAQgRBAEBASABBgcyFAkIAgQBDQUIFwOCWwGCDlcDDSMDAQ+ecwGBPwKKH3iBM4EBgggBAQYEBIFNQYMCGII4AwaBPQGDF4Q6gxWDJXsnHIFJRCZvQ4JnPoJiAQECAYEoARIBCQkRDB8JAoNVgi6NEoQiil8HNwNHLxKBH2wBCAYGBwoFLgYCDBgUBAITEk0GFgISDAoGEw5BEBcMDwMSAw8BBwIJEAgSJQgDAgMIAwIDGwsCAxYJDgMdCAoYEhASAgQRGgsIAxY/CQIEDgNCCA4DEQQDDxgJEggQBAYDMgwlCwMFDw0BBgMGAgUFAQMgAxQDBSQHAyEPJg0NBBsHHQMDBSUDAgIbBwICAwIGFQYCAhhUOQgECAQrIw8FAgcvBQQvAh4EBQYRCAIWAgYEBQIEBBYCEAgCCCcXBxMzGQEFWRAJIRYGDhoKBgUGFQMhRyYFRQ8oMzY8IwkfGwqBFSoJIhYDBAQDAgYaAwMiAhAuMQMVBikTFBoTCSt9CQIDInQDAwQsDgUEGQGdcB88HRsMHQIHBA0HHh8CBB5hTQ4GAQYZIwURBZIsVY0ujg2TEAqDUYsijXSHHhWDdkmLe4ZikUuWeSCNE5RehRACBAIEBQIOAQEGgWGBJXBwFYMjURkPjiAMDQkVbwECgkmFFIVKdTsCBgsBAQMJjECCRgEB
IronPort-PHdr: A9a23:69YyHRU9A7gFt8NwKoQ2JGKW6ufV8K36AWYlg6HPw5pCcaWmqpLlO kGXpfBgl0TAUoiT7fVYw/HXvKbtVS1lg96BvXkOfYYKW0oDjsMbzAAlCdSOXEv8KvOiZicmH cNEAVli+XzzMUVcFMvkIVPIpXjn5j8JERK5Pg1wdYzI
IronPort-Data: A9a23:Qtsz06p4ca69R2WKANsyJBXKYZNeBmLjZRIvgKrLsJaIsI4StFCzt garIBnVM6uDMWvxeopybtm3/UpQsZLUx4BiTVdvqitmHixGoOPIVI+TRqvS04x+DSFioGZPt Zh2hgzodZhsJpPkjk7xdOCn9xGQ7InQLlbGILas1htZGEk1Ek/NtTo5w7Rj2tEx0YDga++wk YqaT/P3aQfNNwFcagr424rbwP+4lK2v0N+wlgVWicFj5DcypVFMZH4sDf3Zw0/Df2VhNrXSq 9AvY12O1jixEx8FUrtJm1tgG6EAaua60QOm0hK6V0U+6/RPjnRa70o1CBYTQRpTlRmFm9RP8 85ykrWZaj0YAvPSx91IBnG0EwkmVUFH0LbDJX76usuJwgidNXDt2P5pSkoxOOX0+M4uXjoIr qJecWtLN0vd7w616OrTpu1EnNsiKNXsOqsUu2prynfSCvNOrZXrE/WatIMHgWlq7ixINd+ON 8waTR8+V0WafkVeKlEYAa4vjd790xETdBUB+A7K+sLb+VP7yAFw3rrFK8fTd8DMXsg9tluEr 0rH8nj3RBYAO7S31CaMt3msj+7Vhgv6VZ4cUrqi+ZZCjEeayHBWCRAKWx6mvfD8kEC1BI8Fd kYV4QIvoLQ8skuxQbHVXhCjr1aFswISHd1KHIUS8x2Vx7bZ+S6CGnAJUjNbLt0j3OczWRQu0 UCEmc/zAiR+9ruYVRqgGqy8pDe2P20eKnUPIHRCRgoe6N6lq4Y25v7Scjp9OPOxkPH5HTXO+ Cu1iwEXpI8isZAViJzuqDgrnAmQjpTOSwc04CDeUWSk8h51aeaZi2qAtAKzARFocdjxc7WRg JQXs5PFtblRU/lhgATIEbtTQ+DwjxqQGGeE6WODCaXN4NhEF5SLVIRU7TcWyKxBbZtcIGSBj KM+RWpsCHJ7NX+ua+p8ZJi8Tp9sxqn7HtOjXffRBjavXnSTXFHflM2NTRfNt4wIrKTKuftlU Xt8WZ3wZUv28Yw9kFKLqx41iNfHPBwWy2LJXozcxB+6y7eYb3P9Ye5bbQvWPrpnt/7e/Fq9H zNj2y2ilkg3vArWP3a/zGLvBQxiwYUTXMqv8JUHKoZv3CI/QTp8YxMu/V/RU9U1w/sK/gs51 nq8QURfgEHunmHKLB7iV5yQQO2HYHqLllpiZXZEFQ/xgxALON/zhI9CJ8pfVeR2r4RLkK8rJ 9FbIJ/oKqoUFVz6F8E1MMOVQHpKLkr73Gpj/kONPVACQnKXb1aSoY+0Ila3pXVm4+jenZJWn oBMHzjzGfIrLzmOxu6PAB5z5ztdZUQgpd8=
IronPort-HdrOrdr: A9a23:hvi2/6FKzh9bRTsgpLqFVpHXdLJyesId70hD6qkvc3Jom52j+P xGws526fatskdsZJkh8erwXJVoMkmsiqKdgLNhcItKOTOGhILGFvAb0WKP+UyDJ8S6zJ8h6U 4CSdkzNDSTNykAsS+S2mDReLxMoKjlzEnrv5al854Hd3AMV0gU1XYBNu/tKDwReOApP+tdKL Osou584xawc3Ueacq2QlMfWfLYmtHNnJX6JTYbGh8O8mC1/HyVwY+/NyLd8gYVUjtJz7tn23 PCiRbF6qKqtOz+4gPA1lXU849dlLLau5V+7Y23+4kowwfX+0WVjbdaKv+/VfcO0aSSAWMR4Z nxStEbToBOAj3qDyaISFDWqnfdOX4Vmg7fIBmj8D3eSQiTfkNjNyKH7rgpKycxonBQzO1Uwe ZF2XmUuIFQCg6FlCPh58LQXxUvjUasp2E++NRjx0C3fLFuHoO5l7ZvtX99AdMFBmb3+YonGO 5hAIXV4+tXa0qTazTcsnN0yNKhU3wvFlPeK3Jy8PC9wnxThjR03kEYzMsQkjMJ8488UYBN46 DBPr5znL9DQ8cKZeZ2BfsHQ8GwFmvRKCi8e166MBDiDuUKKnjNo5n47PE84/yrYoUByN8olJ HIQDpjxBkPkoLVeLmzNbFwg2LwqT+GLEfQI+lllu1EhoE=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.92,281,1650931200"; d="scan'208,217";a="888947562"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 18 Jul 2022 17:16:54 +0000
Received: from mail.cisco.com (xfe-aln-001.cisco.com [173.37.135.121]) by alln-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 26IHGsvT029351 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Mon, 18 Jul 2022 17:16:54 GMT
Received: from xfe-rcd-002.cisco.com (173.37.227.250) by xfe-aln-001.cisco.com (173.37.135.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14; Mon, 18 Jul 2022 12:16:54 -0500
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (72.163.14.9) by xfe-rcd-002.cisco.com (173.37.227.250) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14 via Frontend Transport; Mon, 18 Jul 2022 12:16:54 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WS3AQLKKhjMZbAruAzS/wjnNUo25Xf/Th8HoWIgLsUsb2qO3Wk5ecLFP2jnxQmN+9gqAZRm5qTU8wD08PpoEddBQhwQxk9+K+pbwi8lQJUzNjYO+zJAc3mNXaPWvPpPkwtJ+8q+1NWLErQJMgACkFg64frNJ+jG6zt+aXtmkNbGMQI2fOKwH0muyqatMVNJSJaZb4Us598Q1bUqg/c0BcCgeJgk99b6NoUuHGp69UBPoL6OoghjdZcUBDDrEL0RVydm1b0aaG7UwTMrg0UC3dFZ9z4ZYmYgIMA3/JCLI/wfqCSs2SSXOCVMyXjpXofiK1JQkVEZxB0qcpIhaWtHWlg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=pUDKD5Lx9tf3UHqYvQimMzUwvcmxKHPphzKZVz0xAw8=; b=O9YCoI3K++IGnZAxdIpbQQzcd+pijLQ2Nq4XzbR75xd5rNUdq0JKmSkXajVv69955PnwDzfDBEFIiz/Et3ZUbAL0voLezP5bjCkQlpB4LYCgvEgYFNQzsx3WklqDLaOKQrDxlcLh/9KTsARPMSibgwjNIfETyl9Z/bXi0seFO6EDBExNEpTjcludHXdWLDePxweGzh6alYRLnKhK1BxzJA0idN6VyK9Iwae1vXmA4/rWXY4hZcAOx12bmayiZPtSPX0JY7uUv4/k3Hmfic/CGZwpeqT/PZ58lZQl9EFsGfMnhA+ID+BiNQI/LXSlIwID5M7lKeo+SsjCL3U+Q4pUBw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pUDKD5Lx9tf3UHqYvQimMzUwvcmxKHPphzKZVz0xAw8=; b=pgMuaICqrAFT7kLnM6h8b4iMXk41TCx68HDksNYcEAf7Px3SQtRj94XmTXzGqtB2k8qOparCYmTunZMUsd7AdpurQIasBahzHuQi7ttzWRiXfgWCCxi706cKkgc1/1uxyFn5S9JyGy2UVk3gbz+lJtwrXvy3MEDXvYRaJt6ZIDc=
Received: from BY5PR11MB4196.namprd11.prod.outlook.com (2603:10b6:a03:1ce::13) by CO1PR11MB5010.namprd11.prod.outlook.com (2603:10b6:303:93::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5438.15; Mon, 18 Jul 2022 17:16:52 +0000
Received: from BY5PR11MB4196.namprd11.prod.outlook.com ([fe80::e0e7:b17a:c19c:20e4]) by BY5PR11MB4196.namprd11.prod.outlook.com ([fe80::e0e7:b17a:c19c:20e4%4]) with mapi id 15.20.5438.023; Mon, 18 Jul 2022 17:16:52 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: Thomas Fossati <Thomas.Fossati@arm.com>, Martin Thomson <mt@lowentropy.net>, Peter Saint-Andre <stpeter@stpeter.im>, The IESG <iesg@ietf.org>
CC: "draft-ietf-uta-rfc7525bis@ietf.org" <draft-ietf-uta-rfc7525bis@ietf.org>, "uta-chairs@ietf.org" <uta-chairs@ietf.org>, "uta@ietf.org" <uta@ietf.org>, "leifj@sunet.se" <leifj@sunet.se>
Thread-Topic: [Uta] Robert Wilton's Discuss on draft-ietf-uta-rfc7525bis-09: (with DISCUSS and COMMENT)
Thread-Index: AQHYl2Vbtb6/MYgEPkeJX2Vy4Jo9ca1999cAgAEle3CAAL81AIAAChKAgAQU16CAAE81AIAAATsg
Date: Mon, 18 Jul 2022 17:16:51 +0000
Message-ID: <BY5PR11MB419689E2962931817B76F3E2B58C9@BY5PR11MB4196.namprd11.prod.outlook.com>
References: <165779144446.10023.16857085823147739769@ietfa.amsl.com> <799e5773-9fa4-b06a-38d1-138c43c5cfd9@stpeter.im> <BY5PR11MB4196858D743ADDF0058AEEF6B58B9@BY5PR11MB4196.namprd11.prod.outlook.com> <aef823f3-f3ab-4b17-811e-45bbcadce342@stpeter.im> <e91c06c6-037e-4ffd-ad17-37879df24e1b@www.fastmail.com> <BY5PR11MB41965634F7B81CEC361DA771B58C9@BY5PR11MB4196.namprd11.prod.outlook.com> <DB9PR08MB6524EF3FCE40204FB7E0A9AD9C8C9@DB9PR08MB6524.eurprd08.prod.outlook.com>
In-Reply-To: <DB9PR08MB6524EF3FCE40204FB7E0A9AD9C8C9@DB9PR08MB6524.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 10b22ed2-608d-43f7-cc0e-08da68e14e7a
x-ms-traffictypediagnostic: CO1PR11MB5010:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: vGD+aNWr3khhpLNwKaFdJTTD28wxL4fgVFAaSHGZHjnGUFImgDmn5q5GfhA229Z7p8zWSPi4z1ckuIcJLMJyunUxfpoIfPTnC2U+ii9WpSzYQsxsEOhYvFoeEAOzjYASYKN9EjM4GdlwD+HyCsHwlYA8zF96UicJ4YVhYl8DDGlSHPOyfGwPnvkfqviaZyeX6hHC0Rpy1mYA6veaJc/Jyk3jZXps3p/hGKS0xhqeI2Ldy8enE1lC1OX+R+oMPBG7Hhr1mIZqEyQsZqzFO1Bt6mO5vh+fdmPcxTb9MzBCA69rEZE0B4tD43s9nm5fAXpgexYKCJRSv06siQoL5CjaP/4tF7m2tzj/srnR3cujMJofe+RzFxpYLEBmQayJVrG8fZR9586Nc5bbb+zpehRd/EDXK+RtVMhL2I3ZGqYKLiM3EiUmwAAwkRB6pF0++iuverZ3dH4bzbmY3yliK59KPC22vlELnISn8Zimm5Pvhixx92T4o+GuX9bdIfB/KFyx2zSb6E78XaMIwm4PaChp3Uo+dUQnTSY0oaXOrVFXM4CbK0rFxL1pEdINid9qGQfwnTVgHDbQ3WfKsp+hrL4ZRMYZHElndIL2R5ZuCH8j0jaPa1TO1LN2JXps4d+/8cozkeNRkTf110x5kYw8OcBapzc8btqdrrcpeZk7XGuO4/xmMOqfApVlkc8BvmKAqf+6bDqJQBQZuUPuIr/wN6f7Z6yPBMelFVg1vs3S0j9aPgiEhwIKF893a9jy6hHTT1ZFXxPOVF9jJTokXG9buUJeJLXTwb+8HPC8PTed/vI+q6Ili+mtRzAjodiT91IMIM+zIobLAPQwpy2txH4fClWg9g==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR11MB4196.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(346002)(396003)(376002)(39860400002)(136003)(366004)(8936002)(9326002)(66476007)(4326008)(5660300002)(55016003)(66556008)(66946007)(76116006)(52536014)(8676002)(122000001)(33656002)(64756008)(66446008)(38100700002)(2906002)(6506007)(166002)(86362001)(38070700005)(71200400001)(41300700001)(478600001)(110136005)(54906003)(316002)(186003)(83380400001)(53546011)(7696005)(9686003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: uDKTgAjJSFTvAEVfyP9eydeUQm7DFWQu61kXlqiNflknBFLkPFsROsM3oWykYaIvgXKXDyH8LZI2B/DmKMdf74zVaMYMBKyuE1ImT68/NRGznLaGOg+NkmuzsxSZ0Ry3TFnXYOhsnekb4pWUP7BRKUesqteLaNNAPcMg4YmkSJUNngyvfimLOT9b6NMvaNDxuuHq/Gv+3X186DId7qwGzDdTBYdWR/vhO9Dq+tNoboK/fP8vF34BiClPgAMU0vyg00fhMGH9Dodvd0ufs2e7J+AwyURRZhqByCZJGAYGqcehYl6/eYDUMYVgWSttb7jQZLv1JPLfT2C34ndzaP1gFhvuJq/gnVrkizHS8caFWnMn6zU8aTYW1RcAs0YW1VW74qbZa2sAIs4mJzPX7XrMYYww0lnWTCB5q7r+L0cm8i6toNyB9QtSDy+CmntxMYuexjH3UcO0N2vGqHkcwfIuTYVyqCuDLk29nFFSYv9rCMDZt4Mls9v2V7ifgMeyH5b116N7MqIqvVA1XsS/7K0Ub8vb3yCGGEXLbUNdtM39NWM82pORXOZP3VXQJ6KIkWgXowBbsudp4myYraTFDu7L2Qemfisy0qNLhYY6xQoWk58DClQEXa6PcoVIW94BOBu965XMLU0imCawkjdZleejYdPDEgvl0r9DLw5JqzDLHidkVJYJ7ksT/TgDyFuF5zgf69O8tCP3cf1TdoVxOKgOEbSEC8gqw05SekIdJdyhJ4Q4k35BFGN8huTiiOWc44+zSnc6VhwearlFYYpFFuL4enFVvCv0dJU43CShBNzt6ePzal/fL193fz6jEIS/j7LfD445lfXRFhdXoL2rpkXctTSRjuJNk26ZlDFT+8OAoebUx5Ha6jZjwbYXlQmejmPrRsQ/srO6ioFmWw7vk75gMZK43zV6RjGAqBAhw/2AQFTkq8SDFimPlLMa9LI+YBQk9UujHmRVYcxS9zl1+7l17CpqtRYMfaiU7PM0D5Id+FqKD7RFsJoK8VEYlIpgpjf3GDBHfDMcjE0giJ8P5VidVK3uPpUfbchRnJjnM/lohEelpNzzhcXk8wFnSxVP5JhPqKPd1T2SAa3+C1JAslhMlM4gEtQBhzG0boj8JFUVAn8wss/IxZURRSBUU72ZNg4H2G3QxTT/Z7TGk0FFYAyZR9Kwhu5ZJu0Kn91lgN1i33mZI8GhXHYTcnRvEb/CeXENimVb3mKUOr8dYLoHVQsAEbSr6tY+LInqQfJ8t1zyF3I63lyq4sBVi1vpDZPrsiaX+EC3C4obyyxYSacRJodMY6O7MG2bx4YANYCW7o9HcjF3x5dfpOfMCO/co+7w3eFybjjyTLuSfsnV5EZFEQQrflXSCoFSmQ9q/fypqrlR1iiT9Qk7gcm0L7OJAirj/BLjaqbmSdM+JGxL/S9yJbDI/qwP7ccljxcyXGKM/QQx+yH9rNskc81NcTgdmFFGNoyndzOxKctFZ5ZAKGW6Menel6KPtcyk6/UPjD6LZjMEEHFRkG8NSwP7QC6eNJbQ91Wr2N8xlGnjggwe6i+nOrm2TETH/kxvY7ztzMLcuWwyohhPmsPanFzf8x8KiQbYtfSRij7tkdxXx9TbBlKhBsiJEyTaOdz3PhQzJ+rOpwb0dtqDczEV4Wt9A5Ezj5zd90xO
Content-Type: multipart/alternative; boundary="_000_BY5PR11MB419689E2962931817B76F3E2B58C9BY5PR11MB4196namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4196.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 10b22ed2-608d-43f7-cc0e-08da68e14e7a
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Jul 2022 17:16:51.9322 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: T7FaeXSv5RkoZMjrfdMmgq2oilQSQ1S3Nx9b7yz6vkso6e7XlAdPNbG+MYeqM0Js2StDkLsXLZp9S8F5thWsXA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR11MB5010
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.135.121, xfe-aln-001.cisco.com
X-Outbound-Node: alln-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/14Lksbuidj1M5BAn9KTOe1EzhLA>
Subject: Re: [Uta] Robert Wilton's Discuss on draft-ietf-uta-rfc7525bis-09: (with DISCUSS and COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jul 2022 17:17:00 -0000

Hi Thomas,


From: Thomas Fossati <Thomas.Fossati@arm.com>
Sent: 18 July 2022 16:41
To: Rob Wilton (rwilton) <rwilton@cisco.com>; Martin Thomson <mt@lowentropy.net>; Peter Saint-Andre <stpeter@stpeter.im>; The IESG <iesg@ietf.org>
Cc: draft-ietf-uta-rfc7525bis@ietf.org; uta-chairs@ietf.org; uta@ietf.org; leifj@sunet.se
Subject: Re: [Uta] Robert Wilton's Discuss on draft-ietf-uta-rfc7525bis-09: (with DISCUSS and COMMENT)

Hi Rob,

On Monday, 18 July 2022 at 15:35, Rob Wilton (rwilton) <rwilton@cisco.com<mailto:rwilton@cisco.com>> wrote:
> > I think that you are right to be cautious here.  What you want to
> > have happen is interoperability.  If you say 1.2 or later, then
> > there is a risk of some implementations doing 1.2 only and some
> > doing 1.3 only, then you lose the ability to communicate.
>
> The introduction states:
>
>    This document attempts to minimize new guidance to TLS 1.2
>    implementations, and the overall approach is to encourage systems
>    to move to TLS 1.3.
>
> and
>
>    These are minimum recommendations for the use of TLS in the vast
>    majority of implementation and deployment scenarios, with the
>    exception of unauthenticated TLS (see Section 5).
>
> And section 3.1.1 states:
>
>       Rationale: secure deployment of TLS 1.3 is significantly easier
>       and less error prone than secure deployment of TLS 1.2.
>
> I completely get wanting the interop, but the MUST implement TLS 1.2
> still feels too strong given that AIUI, one of the reasons for TLS 1.3
> was to help mitigate some of the security issues that turned up in TLS
> 1.2.
>
> It feels reasonable to me for a server deployment to decide that
> they will only support TLS 1.3 because it is easier to deploy
> securely, placing the requirement on the client to also support TLS
> 1.3 for successful interop.
>
> Equally, I can also foresee continued deployments, where they still
> decide to support old versions of TLS before 1.2 to ensure that they
> can still interoperate with legacy clients that have not upgraded.

Sure a deployment can do as they decide to, but negotiating < 1.2 is not
considered secure anymore.

Sure. Agreed.

  OTOH, the 1.2 profile that the document
describes (and that the endpoints are required to implement) is not less
secure than 1.3.

The document in its current form acknowledges the reality that today not
all stacks are fully ready and, for a variety of reasons, not all
deployments can be readily upgraded to 1.3.  MbedTLS and its ecosystem
are in that position: nearly there, but not 100% yet.

The desired state is everyone runs 1.3 (because it's less complex,
not because it's more secure than the profiled 1.2 defined in the BCP.)

What are the risks of mandating 1.2 as baseline?

I think that there are two risks:

  1.  It may be less secure, if this comment is correct "secure deployment of TLS 1.3 is significantly easier and less error prone than secure deployment of TLS 1.2"?
  2.  My interpretation from the document is that it is more important to implement TLS 1.2 than it is to implement TLS 1.3.  If that is the intent, then okay, but then the quoted comment about TLS 1.3 being significantly easier sort of seems entirely irrelevant if implementations MUST still deploy TLS 1.2.

But I just find the guidance in the document somewhat confusing:

   Years
   later this transition is largely complete and TLS 1.3 is widely
   available.

   ...


   This document attempts to minimize new guidance to TLS 1.2

   implementations, and the overall approach is to encourage systems to

   move to TLS 1.3.  However, this is not always practical.


   ...


   As noted, the TLS 1.3 specification resolves many of the

   vulnerabilities listed in this document.  A system that deploys TLS

   1.3 should have fewer vulnerabilities than TLS 1.2 or below.

   Therefore this document replaces [RFC7525<https://datatracker.ietf.org/doc/html/rfc7525>], with an explicit goal to

   encourage migration of most uses of TLS 1.2 to TLS 1.3.



So, I read this document saying TLS 1.3 is great, and fixes a load of issues with TLS 1.2 which is why you absolutely MUST deploy TLS 1.2, and it would be nice if you did TLS 1.3 as well!



Do we disincentivise converging to the desired goal?
Maybe, it depends on how other levers play out.
Anyway, worst case the parties negotiate the profiled 1.2, which
guarantees excellent security.

What are the risks of not mandating 1.2 as baseline?

What about saying SHOULD support 1.2 except for deployments where TLS 1.3 is supported and it is known that all clients are capable of supporting TLS 1.3?

E.g., TLS 1.3 for NETCONF is coming along, and the ISPs may want to configure the device to only use/allow TLS 1.3 and not TLS 1.2, but they would have to violate/ignore this guidance to turn off TLS 1.2 ... or perhaps the implementation could argue that they don't need to allow TLS 1.2 to be disabled because this RFC mandates that it has to be supported everywhere ...


Do we create breakage that can't be easily fixed?
Quasi certain.

To me it's a question of timing, and I think we can defer the decision
to when data give us confidence that the induced breakage is minimal.
Note that a "SHOULD support 1.3" is pretty strong (RECOMMENDED may be
slightly stronger?) and paves the way for being more radical with the
next iteration of this document.

RECOMMENDED means exactly the same as SHOULD, so alas that won't help.


I appreciate the slight frustration, but a policy of small steps is the
probably the most adequate for a BCP.

Yes.  I agree to the small steps thing, and I understand setting TLS 1.2 as the minimum bar.  But as I said above, my current reading of the RFC 2119 language makes it unclear to me whether the goal is really to move everyone to TLS 1.3 or at least TLS 1.2.  If I find this text confusing then I suspect that general implementors will also do so.

Thanks,
Rob



Cheers, thanks


IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email