IETF Logo Mail Archive

Re: [Uta] [Last-Call] Secdir telechat review of draft-ietf-uta-rfc7525bis-09

Rob Sayre <sayrer@gmail.com> Wed, 13 July 2022 18:53 UTC

Return-Path: <sayrer@gmail.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79908C16ED0E; Wed, 13 Jul 2022 11:53:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BXDVXMsouMNf; Wed, 13 Jul 2022 11:53:50 -0700 (PDT)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E69FFC157B3E; Wed, 13 Jul 2022 11:53:49 -0700 (PDT)
Received: by mail-ed1-x533.google.com with SMTP id y4so15272340edc.4; Wed, 13 Jul 2022 11:53:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=AJSINoiOW71nR/tC0IbT6rlz+BELSreDxfGl2Tf42JQ=; b=RGhRun/CiNt3PoTHc6FrU44TL32zFp7jzesWO5VeksgTAD0kNm3BRN0oGa9uOhAU4G qsOIisE9SvpgCjHFO1lL4/SqF4vNCWDV7V+huczn/cvL/YpgoDGOoAb8m8ZVAWJXl9vt Cs3ue0phWUU+18wJiG2uyRmvyTbMcGcreYbpaIyGE0gXZ8vO4JY+pBICmuGwz5TsC8KR X1DbfywYyFDEQjyeKm/2MH0SlDVxWexOhDXo4voUY2DqaqbH8fVYMFwlqBQg1DxvczF3 acBSQWnxjx8aictnQHs7VBdlefhutW9dvwtQcWzr+n8Rj3cdVbHSQURJK+WDtuWE8DIp UVyA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AJSINoiOW71nR/tC0IbT6rlz+BELSreDxfGl2Tf42JQ=; b=7E23XW9QpyTlBhqJanKMQLWyqQs8FWStg44aOwsGJ60cSX82wuhrWTlj5EXWC7Zvru xiAOuj6FIRl/6n5eys3/EMl/RxbgRrrISfU19kvzP+BnaTRRL8+OzDw2RcEHn/9+qhHI OjO/rklJuWDex3UOtJal2Vr62KB3zQa6wV4bx6ybkbbMIB886Ey6tinrIu4TQzO8e+zM L4KOoF1cJ3kPDyQcJmhGGexIvjblSMa5Ek9YGMJcr4LOKjRhz5ImDbSJjKCRp99rDtmj gIlFhQRkLlRaeV04peuMus3x4gHF2SBLQ2Ia9Jyk+9h5Ahr9pvVmvFin/lEq1zA6XbYf KLxw==
X-Gm-Message-State: AJIora/G46AQvph0nOqgwyknoTLcci9USj5npqdPY8YQd+76tLJhUFkM R3IWY2i32HNsrTbm9DGOJ/mVLEZ+U2NIxMGWrNZnz/C/1Og=
X-Google-Smtp-Source: AGRyM1uQzrAB3OGClx42xCJGeypmhsLquw87t47KyRg7lvRGqMoywItuwxC9Teak7bWMOT98ypXgTbSRlHsfH4irzOg=
X-Received: by 2002:a05:6402:1d54:b0:43b:1795:d3c with SMTP id dz20-20020a0564021d5400b0043b17950d3cmr2232662edb.236.1657738427908; Wed, 13 Jul 2022 11:53:47 -0700 (PDT)
MIME-Version: 1.0
References: <165766858084.5251.12485129434316295805@ietfa.amsl.com> <b24e2934-200f-4f80-5261-aa2a977da39b@stpeter.im>
In-Reply-To: <b24e2934-200f-4f80-5261-aa2a977da39b@stpeter.im>
From: Rob Sayre <sayrer@gmail.com>
Date: Wed, 13 Jul 2022 11:53:36 -0700
Message-ID: <CAChr6Syq+uOTJsvqWuSustq_HdTaXCtDepyCuRWx+jGoEB06Fw@mail.gmail.com>
To: Peter Saint-Andre <stpeter@stpeter.im>
Cc: Benjamin Kaduk <kaduk@mit.edu>, secdir@ietf.org, draft-ietf-uta-rfc7525bis.all@ietf.org, last-call@ietf.org, uta@ietf.org
Content-Type: multipart/alternative; boundary="00000000000020471f05e3b44ea3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/4E2mFheFbysSvhQAJbCRWpATVug>
Subject: Re: [Uta] [Last-Call] Secdir telechat review of draft-ietf-uta-rfc7525bis-09
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2022 18:53:54 -0000

On Wed, Jul 13, 2022 at 11:28 AM Peter Saint-Andre <stpeter@stpeter.im>
wrote:

> >
> > It's very disappointing to me to see that we label a TLS 1.3-only
> > implementation as non-compliant with the BCP for TLS usage; such an
> > implementation is more secure than a joint 1.2+1.3 implementation.
> > That said, I assume that the WG discussed this topic extensively and
> > it seems somewhat unlikely that I have any new contributions to that
> > discussion.
>
> Even the authors are sometimes disappointed by what ends up in a BCP - I
> know I felt that way about both RFC 6125 (wildcard certs!) and RFC 7525.
>
> Personally I would be comfortable with changing TLS 1.3 from SHOULD
> support to MUST support, but we'd need to see what the WG thinks.
>

I think the bullet point section, "SSL/TLS Protocol Versions",  fails to
convey the requirements here (I can't even tell what they are).

The section also says

"Even if a TLS implementation defaults to TLS 1.3, as long as it supports
TLS 1.2 it MUST follow all the recommendations in this document."

That seems to suggest that the section should be reorganized to document
what must be done if supporting TLS 1.2, and also highlight that it is
optional.

thanks,
Rob

v2.23.0 | Report a Bug | By Email