IETF Logo Mail Archive

Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-07.txt

Thomas Fossati <Thomas.Fossati@arm.com> Fri, 10 June 2022 14:12 UTC

Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A80BCC15BED0 for <uta@ietfa.amsl.com>; Fri, 10 Jun 2022 07:12:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=JffkeLa0; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=JffkeLa0
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id olBlqQcgvLlW for <uta@ietfa.amsl.com>; Fri, 10 Jun 2022 07:12:36 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on061f.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0d::61f]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB205C15D861 for <uta@ietf.org>; Fri, 10 Jun 2022 07:12:35 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass; b=JWhporGq5YYytmZecazDOMmYzl+gCVyqMwCWSF3k9Gqpq8t99rhREAct6tD9UMn1RtYlgGkpMN5g6pE/3QCJfgVVVmczo7/IDb2UlNKYaAFu19uGHn7HuHPl+U3P24ofzDUOlIJVh6sG9uoI3RJitOxYdldEKMr+q2y6yMZHn8i/ctAhu63UxOVJIY5q8FiujGnleYs0G7jfEsrprlMslYuDgg/bjCk2ChstOFsdfGZfYAunXSZzrmcuqSJ7AN9s9OZQlIuYOHXfvYtm7Prdocr9J7AuZjwyS3yVNbWeclXz6zNzQVI+tdaSQXL9SWSTADFfAItJRWRrGO8d46Nq9A==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=idcd2hceNQt17GeVgKf9FKB5NYWTjj4gTapGMRKtLOY=; b=ZG0THeEwdR/InSg0v1bn46Y3M1jPLc6MOFyEeW3Uf5lAi5FPZSBIAnzHGhYqOMzZ8twR6WmwD+in5jK2L29lUqKgYKm1KuFv550xIVPkEQLGZAUL9aBvMUG5fD5rqBWQ23tf2dFanHCSP1fvSES6YTUySwpCadEbd8nEqVisckESZ9vg0H0XjTQ7GtZ5aqEIo8qGMbCHjzOzEvPJ3QDDgTW1/8ZDDi00P6GUWPJq0dMrfj1WMRlt+6H4KXyCwH5K1lT2rp3yMo/aYJgyvjnOOy3//K131ATzSu3UDL2UOCw5YTHLIrtfuIIehhul4zTaH15efZIEztwMKQ5Qfun8MQ==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 63.35.35.123) smtp.rcpttodomain=ietf.org smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=arm.com] dkim=[1,1,header.d=arm.com] dmarc=[1,1,header.from=arm.com])
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=idcd2hceNQt17GeVgKf9FKB5NYWTjj4gTapGMRKtLOY=; b=JffkeLa0Qz39Zn48pTDK0/1DkLmv5xivyaYpRcT82VNFHrEkeprk8YujTrkpDpVhq2AY/tICWQtQKTRbRQ//83B0AJIl4hpGvC1Iba7+vDJnmTGH3MHWwuiR6zaQlF46adQinYw2nEPUpImOHPxfIN/L4S5yIzao8uTIshALrVw=
Received: from AS9PR06CA0100.eurprd06.prod.outlook.com (2603:10a6:20b:465::11) by DB7PR08MB3865.eurprd08.prod.outlook.com (2603:10a6:10:74::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5314.15; Fri, 10 Jun 2022 14:12:30 +0000
Received: from VE1EUR03FT007.eop-EUR03.prod.protection.outlook.com (2603:10a6:20b:465:cafe::98) by AS9PR06CA0100.outlook.office365.com (2603:10a6:20b:465::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5332.11 via Frontend Transport; Fri, 10 Jun 2022 14:12:30 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; pr=C
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT007.mail.protection.outlook.com (10.152.18.114) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5332.12 via Frontend Transport; Fri, 10 Jun 2022 14:12:29 +0000
Received: ("Tessian outbound e40990bc24d7:v120"); Fri, 10 Jun 2022 14:12:29 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 284489f767af7c40
X-CR-MTA-TID: 64aa7808
Received: from b52a18d11872.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 8B7F0087-DBE2-42AB-BC60-74E925BBEDD2.1; Fri, 10 Jun 2022 14:12:22 +0000
Received: from EUR01-VE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id b52a18d11872.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Fri, 10 Jun 2022 14:12:22 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hQwlSdOVWNBMhUePS3zjOp20maIwJQa943XsLi/6qInt+5/CPkb18kjJJ3Wo+xAgY0QhsJj5JI+CbZb459O0CI2r+7et4cyn4ts/vfcYw6cczYiCCZvXLMS0yER7vtAbcR91pViOHWjUjG72quiS6i9NCiG4XKtyvh0DZjTCoSNJa0v5zrQy5JBx4BFz7OFaYeM151t/Evz3WutzeNvtdLJvkS6QMEeJlHa33evLP/DsQTYmSdifL/xH/Q6PnkEkgRiADAX+ijL/d6y6M4Ky2pehueR52B6MVnTCsxKwvEY1nyNw2nB8AkzBcwdEKAFfuM273Z7NPRQa2OuzGDs6iA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=idcd2hceNQt17GeVgKf9FKB5NYWTjj4gTapGMRKtLOY=; b=J/iYkVSAnP67ccnPMJnkGt9U5IOgVznEE2TBp7xY3GyMCEOIPGBdyhZobQlSeY18+dS/Pa+uPPctlUCdL98Et7P79ir6L/zB80vka+d3Lx2HiZMcwZ+YzVQRqo46NdGUJ/YiXECFI7OFE91LpxlTogodDa3B9+l3ObNpMh7uoW2sRkrnE27Qv4/PdkL1HW73qqutcnLfvqqFgiQ/w+kq7vNUEAizbVBVZPi5YlK0dU0Gv9PWxUxTAXm6aR/KDmpOIV97hXk7rSQQmJC0m7uzcqtp7XMHcLcDazh9UDWiwGw4N0GAtrlsRMBQJo+QUW56I0QbYxAP+GS0ledAfiWiOQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=idcd2hceNQt17GeVgKf9FKB5NYWTjj4gTapGMRKtLOY=; b=JffkeLa0Qz39Zn48pTDK0/1DkLmv5xivyaYpRcT82VNFHrEkeprk8YujTrkpDpVhq2AY/tICWQtQKTRbRQ//83B0AJIl4hpGvC1Iba7+vDJnmTGH3MHWwuiR6zaQlF46adQinYw2nEPUpImOHPxfIN/L4S5yIzao8uTIshALrVw=
Received: from DB9PR08MB6524.eurprd08.prod.outlook.com (2603:10a6:10:251::8) by AM0PR08MB4033.eurprd08.prod.outlook.com (2603:10a6:208:133::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5332.13; Fri, 10 Jun 2022 14:12:20 +0000
Received: from DB9PR08MB6524.eurprd08.prod.outlook.com ([fe80::a45e:c9e6:74af:caff]) by DB9PR08MB6524.eurprd08.prod.outlook.com ([fe80::a45e:c9e6:74af:caff%3]) with mapi id 15.20.5332.013; Fri, 10 Jun 2022 14:12:20 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, "uta@ietf.org" <uta@ietf.org>
Thread-Topic: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-07.txt
Thread-Index: AQHYcUa8y4t0gQsrbkyQhVVshEdxfK1IuFUAgAALj3I=
Date: Fri, 10 Jun 2022 14:12:20 +0000
Message-ID: <DB9PR08MB65245715310EFBC14AA98E9E9CA69@DB9PR08MB6524.eurprd08.prod.outlook.com>
References: <165360014937.7348.791812490092301727@ietfa.amsl.com> <HE1PR0701MB3050C47A2D288CEECB4F1D6489A69@HE1PR0701MB3050.eurprd07.prod.outlook.com>
In-Reply-To: <HE1PR0701MB3050C47A2D288CEECB4F1D6489A69@HE1PR0701MB3050.eurprd07.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-MS-Office365-Filtering-Correlation-Id: 79604f4f-efe0-4cad-c269-08da4aeb4147
x-ms-traffictypediagnostic: AM0PR08MB4033:EE_|VE1EUR03FT007:EE_|DB7PR08MB3865:EE_
X-Microsoft-Antispam-PRVS: <DB7PR08MB3865EB21FF1C1EC2E51CBB469CA69@DB7PR08MB3865.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: 3Dwpe8C1jfFL3u3bGDuFyraxZ16JjgzUD0Mg0UiYE7dLQkvoK0KZl0WYcRtqiS4LH+U4+6X5En/sV80c5NN3m/X4Jo1IxdfdxL/iACYSdEytsyU42++uEQHdxKFLFcCIkQRSznDQAWHdbouOqp7eSSr7AKCV7tJVb3F1wYUGnd8M92UhMmVE07sd4tmoo5PM6xwO50xrT6yFi2GiwwA1nwcVuukKD8mwsxybeH5wDNd3YsY4hk2ZWbk0A7b/KDH3WID9H3LDmT04EuTuyA9Z7iYBkmfQ+nAIKKTiLplCyQ+2RDXk63hFqlqdxc/gN7+yRkZTWDGZZDqMrfGCRXQuJZ16LoloAaeZD+VGdNgoF09H407ijKsSkX79uMGXJrIi9VQR0vUzzMO21ckqGWZl4OoXVfldYgYM105w5xWqEfJWPijixGIlq4An40W2jTYXMy7EYZLKLW315rMnNbk9tLUoSqDB6//puWEDQ7boexdejPzOgJoGwal8Z80PDLLFYpVfqy1E151zV7TPYOVOlPi/CyB259UCWVwlFGULr5V2HlSja10D24A9FSebev4YthTsR+UABneFB8I98T8m3+MzA8dLa0aK+F8pslOxkDvOmJS48agJXFXJGrvrRDIvyj/mGan0BaneeMNdlbEWfTdox9d1RCIKhPOFs8K1Y+cXSs0Lf0q0hqvUS58ThTAtNC4s94uzwkk3MjOt9PPIse71heygwNM1xXFpz3VT0HFKi4em4ENhrpLUZfwybHq9VHbGbNYVwvmYIn3zVsJvfqUQJR7NYcAyTQu7xcbQB1Xy32iwKpxi/50Jsd0GWRKFaJPIGAdxXCtusKDsbTL7YA==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9PR08MB6524.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(83380400001)(316002)(2906002)(110136005)(55016003)(86362001)(6506007)(7696005)(38100700002)(186003)(122000001)(53546011)(38070700005)(5660300002)(52536014)(9686003)(91956017)(33656002)(966005)(8676002)(76116006)(66946007)(66556008)(64756008)(66446008)(66476007)(8936002)(26005)(66574015)(166002)(21615005)(71200400001)(508600001); DIR:OUT; SFP:1101;
Content-Type: multipart/alternative; boundary="_000_DB9PR08MB65245715310EFBC14AA98E9E9CA69DB9PR08MB6524eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB4033
Original-Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT007.eop-EUR03.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: 4aec7e6b-edbe-482d-86b3-08da4aeb3b6b
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 3d7DpQUKS0jjld4gfoHgpdGvdx4fZEmsxApTUtmULIkmYK4ml9m3foMATXA/l9QY1AlRZVxXQAVfgwugfcu5gVilOlRosZykOnt0cIh0ZFwbuSQX6owKmzI8YzmWF1c3l1nAjzEJoDxf8vIMG+fuq9uw4OlgS1OcoZmNQKb15PtfxUYy1NFsFAkVl+xbYfiC87eORbA1oeDcctMZqdNrhBGTEsut4VArq0DOApKjh5sLL+zS0HWD2v+q5q5RnimCxmjDI3DSyHcIfD4Ex9mU27XsaIOsK5z0qK25G0MHC2ozZZEai/8bWZSvQgEy21JvLNmNZt5lAF3NAYAbry0t47SuZfu3qe2p/VfjO3EIpMwPy1HA/NBBxKBSN7QbV+bNnXIdLo3os6HR9ISezXJrP59aX2njpMz2ZPUUghs91C1ZEf/Rm653C8zswAgFRXOK343gFrYhJK6pQyupcZWaLNKXfM6i7hiMAyI7Cd+ztV9xtCtlhRbSTycQ2NmmLzr8WSk2D4CWxYprr9EgsyMhg7iEMO0L0q+q9WMXgCq0E3YXS4kP4ayoQFBoe3Sb2UIvD6wfBVtz6NWL8p92VEPmyeYnKRhi0IYNwRCjgXDJcAESXI10+xxzB6LOsHQ6cexKuEVd5rWNSbe3FTpb+pI02+dDDFMyJAuZQU1xM2Kx8IodHCU78tTsD2jR64c1ZGaMaJ5Wb/rDup8AtfWPNQ1pMEZCSR4f2w9F4jaAiQxwMZ+54ANi/9tmssnMPAazetJ0nOQDVz9YKaT5eIjG4LWIDdRCof+rLTXP51JywRKE6vE=
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(13230001)(4636009)(40470700004)(36840700001)(46966006)(336012)(21615005)(110136005)(5660300002)(82310400005)(33656002)(356005)(8676002)(70586007)(86362001)(70206006)(166002)(83380400001)(40460700003)(26005)(52536014)(53546011)(966005)(30864003)(508600001)(66574015)(186003)(47076005)(8936002)(36860700001)(55016003)(81166007)(2906002)(7696005)(9686003)(6506007)(316002); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Jun 2022 14:12:29.7932 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 79604f4f-efe0-4cad-c269-08da4aeb4147
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: VE1EUR03FT007.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR08MB3865
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/zBQax7BHc4BX3YgXpcnJXSmuCKQ>
Subject: Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-07.txt
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jun 2022 14:12:40 -0000

Hi John, thank you very much for your review.

We are tracking your comments here:


  *   https://github.com/yaronf/I-D/issues/377
  *   https://github.com/yaronf/I-D/issues/378
  *   https://github.com/yaronf/I-D/issues/379
  *   https://github.com/yaronf/I-D/issues/380
  *   https://github.com/yaronf/I-D/issues/381
  *   https://github.com/yaronf/I-D/issues/382
  *   https://github.com/yaronf/I-D/issues/383
  *   https://github.com/yaronf/I-D/issues/384

With regards to:

-  of time (e.g., measured in days)

"Days" is ridiculasly long for non-constrained use cases. ANSSI requires ephemeral diffie-hellman every hour or 100 GB for IPsec. Signal and WireGuard are doing Diffie-Hellman much more often than that. I think "measured in days" give the wrong idea. I suggest changing to "e.g., every hour".  Days seems like a recommendation taken from the year 2000. If needed separate contrained and non-constrained use cases.

This was already fixed in the editor’s copy (by Ben):


  *   https://github.com/yaronf/I-D/pull/358/commits/c39180c

cheers, thanks!

From: Uta <uta-bounces@ietf.org> on behalf of John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
Date: Friday, 10 June 2022 at 14:25
To: uta@ietf.org <uta@ietf.org>
Subject: Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-07.txt
Hi,

I reviwed the whole document. Looks fine in general. Some comments:


- "Those who implement and deploy TLS and DTLS, in particular versions 1.2 or earlier of these protocols"

Delete "or earlier". As these versions are "MUST NOT negotiate". Might be good to mention this deprecation in the introduction.


- Would be good for the reader if the intro said something to explain the TLS handshake and record layer. DTLS and QUIC also use the TLS handshake but with a different record layer. Would be good to point out that a lot of the recommendations for "TLS" apply to all uses of the TLS handshake such as DTLS and QUIC.


- I think QUIC should be mentioned in the introduction. Otherwise the document feels old already when it is published. QUIC already makes up a huge part of internet traffic. Over 25% in some ISP. Many of the recommendations apply to QUIC as well


- 3.3.  Compression
Would be good to add that TLS certificate compression is fine to use.


-  of time (e.g., measured in days)

"Days" is ridiculasly long for non-constrained use cases. ANSSI requires ephemeral diffie-hellman every hour or 100 GB for IPsec. Signal and WireGuard are doing Diffie-Hellman much more often than that. I think "measured in days" give the wrong idea. I suggest changing to "e.g., every hour".  Days seems like a recommendation taken from the year 2000. If needed separate contrained and non-constrained use cases.


-  "Renegotiation in TLS 1.2 was replaced"

Change to "partly replaced". Diffie-Hellman, server authentication, and update of the exporter secret are all missing.


- Section 4.1
I am missing a recommendation related to AEAD. I would make sense to add that "Implementations SHOULD NOT negotiate non-AEAD cipher suites."


- "Clients SHOULD include TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 as the first proposal to any server, unless they have prior knowledge that the server cannot respond to a TLS 1.2 client_hello message."

I would delere ", unless ...". This does not align with MUST NOT negotiate 1.1


-  "When using RSA, servers SHOULD authenticate using certificates with at least a 2048-bit modulus for the public key."

This needs to be "MUST" to alging with "MUST NOT negotiate cipher suites offering less than 112 bits of security"


- The document should talk about the need to start phasing out RSA-2048 and 2048-bit DH keys which both gives 112-bit security. BSI requires that RSA-2048 disabled by January 2023. CA Browser forum has already forbidden RSA-2048 for use with code signing.


- 7.1. The document should make it clear without Host Name Validation there is typically no authentication. The TLS handshake only provides proof-of-possestion of the private key and transfers certificates so that the application can do authentication.


Cheers,
John

From: Uta <uta-bounces@ietf.org> on behalf of internet-drafts@ietf.org <internet-drafts@ietf.org>
Date: Thursday, 26 May 2022 at 23:22
To: i-d-announce@ietf.org <i-d-announce@ietf.org>
Cc: uta@ietf.org <uta@ietf.org>
Subject: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-07.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Using TLS in Applications WG of the IETF.

        Title           : Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
        Authors         : Yaron Sheffer
                          Peter Saint-Andre
                          Thomas Fossati
        Filename        : draft-ietf-uta-rfc7525bis-07.txt
        Pages           : 39
        Date            : 2022-05-26

Abstract:
   Transport Layer Security (TLS) and Datagram Transport Layer Security
   (DTLS) are widely used to protect data exchanged over application
   protocols such as HTTP, SMTP, IMAP, POP, SIP, and XMPP.  Over the
   years, the industry has witnessed several serious attacks on TLS and
   DTLS, including attacks on the most commonly used cipher suites and
   their modes of operation.  This document provides the latest
   recommendations for ensuring the security of deployed services that
   use TLS and DTLS.  These recommendations are applicable to the
   majority of use cases.

   An earlier version of this document was published as RFC 7525 when
   the industry was in the midst of its transition to TLS 1.2.  Years
   later this transition is largely complete and TLS 1.3 is widely
   available.  This document updates the guidance given the new
   environment and obsoletes RFC 7525.  In addition, the document
   updates RFC 5288 and RFC 6066 in view of recent attacks.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-uta-rfc7525bis/

There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-uta-rfc7525bis-07.html

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-uta-rfc7525bis-07


Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts


_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email