IETF Logo Mail Archive

Re: [Uta] Robert Wilton's Discuss on draft-ietf-uta-rfc7525bis-09: (with DISCUSS and COMMENT)

Peter Saint-Andre <stpeter@stpeter.im> Tue, 19 July 2022 17:05 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CAEAC14F746; Tue, 19 Jul 2022 10:05:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.811
X-Spam-Level:
X-Spam-Status: No, score=-2.811 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=stpeter.im header.b=hjWuCgfN; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=15NWRZuV
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R6lmJuS92rfG; Tue, 19 Jul 2022 10:05:07 -0700 (PDT)
Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39F4BC14F722; Tue, 19 Jul 2022 10:05:06 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id 77E193200A4A; Tue, 19 Jul 2022 13:05:04 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute1.internal (MEProxy); Tue, 19 Jul 2022 13:05:05 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stpeter.im; h=cc :cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm1; t=1658250302; x= 1658336702; bh=Ytxj6uHjdH3ezPLWOmwML7befKm5QqcmNuMU/40bFnE=; b=h jWuCgfNiAEzFZQeerhTPOzQ4BkQfIxLwa5YndpvcT/kfB4HIvdzdZKD3zpY5BOSG lX1WludQH/VNOQy2ma8r74oXrmg8dJc9y4pamSZYKeKtYvThZzkoX8zwpWAOx+qz UKzjHrb78fSGdl4kHacTQ2qm+Qx8tmOh7wXdVKdpOuxzF/QMzuvAV8jjgnDqIKes SZi68MFT6bG60v+GZB81BnnTR9qm6MZ1sb569xM7pMmhsuFVqd9FJskyixEjRMjx KWp/p15ppa2FQSYJdW8rccIgR5GX5Z/9b2LOghgUW4QUsJ1k0J4QcrqejoqKGYpR onHom4vekYYNfXmK/8SkA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1658250302; x= 1658336702; bh=Ytxj6uHjdH3ezPLWOmwML7befKm5QqcmNuMU/40bFnE=; b=1 5NWRZuVQBa05Kph9mNNRBCj3LyPy1GAVdQRK5bvZyewJQzJMuwOovZYOsnTlpTnc ovRaLtZmWqrJKbYXXRTesfi5OPDEYz7BIeomNRutyvd8IMEbb5VzF43L03DEsXqY OJEA2QkBxwrf286oZ0U+IiaWSOw9bHW3xq3oLGuvdpZpvzelfeZ2bHP4zQjkOjLN X4XXKszVR9qP97+XVS6/A8KTE+P8goyhu59IQvZVEzAtH6gWs5vgThk08+1ExJSr +pOHih16Nb+jA+6nrPIlc1Bvk/FYvW6EMqrJTEfAKxtEU5zw6Df37L89MoxCjnxr 6cLBB5PweKEzFScA9EjOw==
X-ME-Sender: <xms:PuTWYuJ3iQDdEp501vb-qhhL75gz1x9VbiKaCs-c7xqxCSshMQ2emQ> <xme:PuTWYmIzi4T4fiyslsK-Y_Y-9k2_E5AfYU0ZCGDhrEaUMRpq2QJkTgQBKN0nqbB3b OSdhpe3TLnyLlB8Sw>
X-ME-Received: <xmr:PuTWYutEJ9HChAEbEP4Tl9BrKaryIyjRTEL8Mv2gRPCTpn-SUb3OpC0KRPu5LMCP>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrudeltddguddtjecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefkffggfgfhvfevfhfujggtgfesthejredttdefjeenucfhrhhomheprfgv thgvrhcuufgrihhnthdqtehnughrvgcuoehsthhpvghtvghrsehsthhpvghtvghrrdhimh eqnecuggftrfgrthhtvghrnhepgfevteevtddvhfeuveevteduffetheehvdeltdejhffg veduvdevkeegkedttedtnecuffhomhgrihhnpehgihhthhhusgdrtghomhenucevlhhush htvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehsthhpvghtvghrsehs thhpvghtvghrrdhimh
X-ME-Proxy: <xmx:PuTWYjbmKu0p9vU1NqLQtiOrzDz4MSjndDCDo0Wr39Ta7mlcnufSfA> <xmx:PuTWYlZNJNCDPMcHNq-BNgWtZaPBUG17MYaEcl59h-JFc_sQgMgH3Q> <xmx:PuTWYvDNHp1AX8UgvN6UBj6aiYdzcz38FrepIyvR1GIj6413OBVTAg> <xmx:PuTWYoxhqWU3giGbl4__qV5kMGtKyYdRtF5d8RC4jZGzFsl3y46D-g>
Feedback-ID: i24394279:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 19 Jul 2022 13:05:01 -0400 (EDT)
Message-ID: <f4ee190b-5cf1-a1f2-ea1e-8e56a442b7a7@stpeter.im>
Date: Tue, 19 Jul 2022 11:05:00 -0600
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.11.0
Content-Language: en-US
From: Peter Saint-Andre <stpeter@stpeter.im>
To: "Rob Wilton (rwilton)" <rwilton@cisco.com>, The IESG <iesg@ietf.org>
Cc: "draft-ietf-uta-rfc7525bis@ietf.org" <draft-ietf-uta-rfc7525bis@ietf.org>, "uta-chairs@ietf.org" <uta-chairs@ietf.org>, "uta@ietf.org" <uta@ietf.org>, "leifj@sunet.se" <leifj@sunet.se>
References: <165779144446.10023.16857085823147739769@ietfa.amsl.com> <799e5773-9fa4-b06a-38d1-138c43c5cfd9@stpeter.im> <73b662b2-5aba-0b32-12cd-80ffa5cd1fd5@stpeter.im> <MN2PR11MB42073D7A0863D0C3B0100479B58F9@MN2PR11MB4207.namprd11.prod.outlook.com> <7209f5c7-c94b-90e8-c389-db541dce0513@stpeter.im> <BY5PR11MB419644778D6884C0B22F56CDB58F9@BY5PR11MB4196.namprd11.prod.outlook.com> <6c2da094-3f7b-bbbc-df4d-c21a8c2ad168@stpeter.im> <BY5PR11MB419659962F8E4630D709E00AB58F9@BY5PR11MB4196.namprd11.prod.outlook.com> <6bda19c2-edf7-80ac-c0a1-964e892ee464@stpeter.im>
In-Reply-To: <6bda19c2-edf7-80ac-c0a1-964e892ee464@stpeter.im>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/OHMSxRRf7McVZEjkGqW0AAKRNSk>
Subject: Re: [Uta] Robert Wilton's Discuss on draft-ietf-uta-rfc7525bis-09: (with DISCUSS and COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jul 2022 17:05:12 -0000

On 7/19/22 10:44 AM, Peter Saint-Andre wrote:
> One more small note below...
> 
> On 7/19/22 10:30 AM, Rob Wilton (rwilton) wrote:
> 
> <snip/>
> 
>> You may want to consider whether it is worth making it clearer, either 
>> in the titles or the first intro paragraph, in section of 3.1.1/3.1.2 
>> that the protocol version requirements are specifically about 
>> implementations, and deployments are allowed/encouraged to restrict 
>> deployments to later TLS versions where reasonable/appropriate.  
>> Otherwise, I suspect that readers may well have both implementations 
>> and deployments in their head when they read this section.
> 
> Good point. I'll look at the entire document again from this perspective 
> and see where we might add some clarifying text.

I found a good place for some amplifying text, at the end of the 
following paragraph in the introduction.

OLD

    These are minimum recommendations for the use of TLS in the vast
    majority of implementation and deployment scenarios, with the
    exception of unauthenticated TLS (see Section 5).  Other
    specifications that reference this document can have stricter
    requirements related to one or more aspects of the protocol, based on
    their particular circumstances (e.g., for use with a particular
    application protocol); when that is the case, implementers are
    advised to adhere to those stricter requirements.  Furthermore, this
    document provides a floor, not a ceiling, so stronger options are
    always allowed (e.g., depending on differing evaluations of the
    importance of cryptographic strength vs. computational load).

NEW

    These are minimum recommendations for the use of TLS in the vast
    majority of implementation and deployment scenarios, with the
    exception of unauthenticated TLS (see Section 5). Other
    specifications that reference this document can have stricter
    requirements related to one or more aspects of the protocol, based on
    their particular circumstances (e.g., for use with a particular
    application protocol); when that is the case, implementers are
    advised to adhere to those stricter requirements. Furthermore, this
    document provides a floor, not a ceiling: where feasible,
    administrators of services are encouraged to go beyond the minimum
    support available in implementations to provide the strongest
    security possible. For example, based on knowledge about the deployed
    base for an existing application protocol and a cost-benefit analysis
    regarding cryptographic strength vs. computational load, a given
    service provider might decide to disable TLS 1.2 entirely and offer
    only TLS 1.3.

See https://github.com/yaronf/I-D/pull/469/files

Peter

v2.23.0 | Report a Bug | By Email