IETF Logo Mail Archive

Re: [Uta] [Last-Call] Secdir telechat review of draft-ietf-uta-rfc7525bis-09

Rob Sayre <sayrer@gmail.com> Wed, 13 July 2022 19:18 UTC

Return-Path: <sayrer@gmail.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2A2DC16ECD2; Wed, 13 Jul 2022 12:18:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9zUFr_-7cmFj; Wed, 13 Jul 2022 12:18:35 -0700 (PDT)
Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D572C13180D; Wed, 13 Jul 2022 12:18:31 -0700 (PDT)
Received: by mail-ej1-x62a.google.com with SMTP id z23so5017017eju.8; Wed, 13 Jul 2022 12:18:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WK6Bpj7f477fZltwm0r/L5XDEgDvZsDCpbKyP/OqStg=; b=EfFGSWS1w0c+gc30xTjc/4zNw8ffQX47luDU2e0H4uwt3XOaxSUgog5mIhHZ+1X5z7 0Cv4mzScv9n4m0n16b9wCN0WBBqtWc4OSR9h/7UvC/eFRTJT0/ontteM3ox62JC7raVb Kk7WF8S0YYFbpmXGYiGlWeTaOUqbDlT0WkCPgu6xV7o9Fnosfx4k33sutIyv+YHXZxlx W21EnxBEBYlnLf0iBJQDc3WKxWQpzhLrboT0TEEanNkOh5FdLFAb5cNBxE9jFP5v5WgE RAqIy5wsPv+MrfP9TAPTTnS1GdGHx/F/NVN8MtR3JONqBzEjfDh6VAUTp06WCz3oD92O FONg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WK6Bpj7f477fZltwm0r/L5XDEgDvZsDCpbKyP/OqStg=; b=DAw+4sn9iWmgAzJAQYSXiuUEaq68PRFzbCvQrIJDmgv5JJ6KcmJqKFbDM6iNuVScsX gb4f8gQXmHcoVZlRrIJZFdMpAtZgFROMQCL4sIXH9KF8U/juYuWn4VmLhv8lcDAyBBtx fCssG1JCr9IQBzl+jNYH6Hr1b6bt1Se1KFqRDwjVCmtjs6ekgjw2YXXmgyHzAY88eGQW OjwuJheBKKBIn8Fvure85qGmHQCpNtRR6NBX9cOQhRuCm7JcrK07Etrnb+kAG3vvgrop tQvsmX6tyvbzw6OyD291E7L37eZ9IaFzAuXUPfWQo9borKx92hWPI2MXXi3bnn2ixHQe wM9Q==
X-Gm-Message-State: AJIora8M17493sBw68TskeWjRkPDdDiFJGsw2DYjqR7TY+Uh/WOlEYtu 9ssCzP7Ee1H62szy3fH9gEIBLNvbIyBif2D9XEA=
X-Google-Smtp-Source: AGRyM1v4TdT9M7GbgwwC4vQrAOKD9m+nn/pAFQ72EP3vhvq/PDxrSCjQtUz5rZfkXfFbLjDKXTMRN9TbGoa4fZrOzrA=
X-Received: by 2002:a17:907:970b:b0:72b:5919:506c with SMTP id jg11-20020a170907970b00b0072b5919506cmr4822790ejc.241.1657739909904; Wed, 13 Jul 2022 12:18:29 -0700 (PDT)
MIME-Version: 1.0
References: <165766858084.5251.12485129434316295805@ietfa.amsl.com> <b24e2934-200f-4f80-5261-aa2a977da39b@stpeter.im> <CAChr6Syq+uOTJsvqWuSustq_HdTaXCtDepyCuRWx+jGoEB06Fw@mail.gmail.com>
In-Reply-To: <CAChr6Syq+uOTJsvqWuSustq_HdTaXCtDepyCuRWx+jGoEB06Fw@mail.gmail.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Wed, 13 Jul 2022 12:18:18 -0700
Message-ID: <CAChr6SzkAmbjGK4XOwPkSwssLoG4NW1yG-6b2aFdFr43yF2zwQ@mail.gmail.com>
To: Peter Saint-Andre <stpeter@stpeter.im>
Cc: Benjamin Kaduk <kaduk@mit.edu>, secdir@ietf.org, draft-ietf-uta-rfc7525bis.all@ietf.org, last-call@ietf.org, uta@ietf.org
Content-Type: multipart/alternative; boundary="00000000000075bf1505e3b4a6d2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/FgdoYO9BvNj6m3ZXsxB70Cth3Ds>
Subject: Re: [Uta] [Last-Call] Secdir telechat review of draft-ietf-uta-rfc7525bis-09
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2022 19:18:37 -0000

On Wed, Jul 13, 2022 at 11:53 AM Rob Sayre <sayrer@gmail.com> wrote:

> On Wed, Jul 13, 2022 at 11:28 AM Peter Saint-Andre <stpeter@stpeter.im>
> wrote:
>
> I think the bullet point section, "SSL/TLS Protocol Versions",  fails to
> convey the requirements here (I can't even tell what they are).
>
> The section also says
>
> "Even if a TLS implementation defaults to TLS 1.3, as long as it supports
> TLS 1.2 it MUST follow all the recommendations in this document."
>
> That seems to suggest that the section should be reorganized to document
> what must be done if supporting TLS 1.2, and also highlight that it is
> optional.
>

Also, in the realm of opinion rather than correctness: mandating TLS 1.2
support is misguided. Every TLS implementation maintains divided codebases
for 1.2 vs 1.3. No one reads the TLS 1.2 code very closely these days, in
my experience, so the BCP would be mandating support for something people
don't really work on anymore.

I think it would be fine to note that some implementations might not be
able to use TLS 1.3. That is something people should know.

thanks,
Rob

v2.23.0 | Report a Bug | By Email