IETF Logo Mail Archive

Re: [Uta] Robert Wilton's Discuss on draft-ietf-uta-rfc7525bis-09: (with DISCUSS and COMMENT)

Peter Saint-Andre <stpeter@stpeter.im> Mon, 18 July 2022 17:55 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7740AC13C51E; Mon, 18 Jul 2022 10:55:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=stpeter.im header.b=ADc1dv4C; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=BQHcBl2p
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QoFBXNBbqZR3; Mon, 18 Jul 2022 10:55:37 -0700 (PDT)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09A19C157B43; Mon, 18 Jul 2022 10:55:37 -0700 (PDT)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 52B9F5C0148; Mon, 18 Jul 2022 13:55:36 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Mon, 18 Jul 2022 13:55:36 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stpeter.im; h=cc :cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm1; t=1658166936; x= 1658253336; bh=nqGsvOzzDQ8FyTQT9MfSDfq8n6TgL77OF7gf9/L0IvM=; b=A Dc1dv4CdZqFS6p2wMFwHMOLHvoxfILQwB0vFe0EJO1L69UjdSZRAv3bQfcTZDp+1 7bROHUCXuWlsSWRHY5OewbiF53LeowyrsxcCI1U3Z2iZ2NiF+YyY8EzqedfXoEcH E2KLst2lKmEbct4w4C1oTouDUz+8sNv+X7snclT78cW3WksBJXX9YS/yzEf6Quiv IUa50/E8xTc7Ml1aAiC8YrQDBRBDaSZqYFfnyRltcsHJPqsGRkbTm/PesPYepvJj OFXsi+JfF/hminNfGWMB3usim1PfTK3JNzUxmU8ACzFpY1Oy70aNjoi/akyn2c0F DKDVW7chGfMJrncqlLQHQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1658166936; x= 1658253336; bh=nqGsvOzzDQ8FyTQT9MfSDfq8n6TgL77OF7gf9/L0IvM=; b=B QHcBl2pbilVaVZyNSLyl7/NSOjIM+nRhRP7H4GXFqHF4go+IlPy+KpRc8OeFIJwh gaF+q8eovCCFLxECJEoltI/Yqh5Zc8lpCoJGaH+WHfUdEMRZMijH81/OQKEd8woD m/O+nF7K3nGNmPZe67nTKz3mJfHa/Ai4R9rwaLj2d9me7UdSYv1UXbX//6jaKFuT 3g1MelVrko5o7XHmvtcSHZk7SrnIRnO7s0Ig88umgw1qf9xJwgozn0RkFjY8T/NE MPCIBs71YlUGLZzTl9mdtXQ+c1nqLY0vk//XWYPhTCBwGaMCCayw/to3f+Pk8zAQ 1EbLyccp34qJOmZb1z5qg==
X-ME-Sender: <xms:mJ7VYtqlkMlOuM50c7IqyiIoSuNOn4loJ_CAVJXJYiL0y4xG0gl3ng> <xme:mJ7VYvqVhgDknX-HJNdhgYTHWWXw_4iZyBfcCBQnFS4kuHWE25WfIA1footBchQUP CQOqF0GteqjzN2fSw>
X-ME-Received: <xmr:mJ7VYqPP5CmrUTrbBNcXPNcy-y_qBvgs2ST61HiFC0MFzcoRIZDhlQblM8zhtPcS>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrudekkedgudduiecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefkffggfgfhvfevfhfujggtgfesthekredttdefjeenucfhrhhomheprfgv thgvrhcuufgrihhnthdqtehnughrvgcuoehsthhpvghtvghrsehsthhpvghtvghrrdhimh eqnecuggftrfgrthhtvghrnheptdeulefgieefgedvieeiveeijeehgfduiedthfffvefg kedtudegleektedvuedvnecuffhomhgrihhnpehivghtfhdrohhrghdpghhithhhuhgsrd gtohhmnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhep shhtphgvthgvrhesshhtphgvthgvrhdrihhm
X-ME-Proxy: <xmx:mJ7VYo5GIHJTAjIt1jN-6__8kt_DcY6ARO46xnmVgymmdbOzQhSQQA> <xmx:mJ7VYs5iTQKu3nq4oehiS7_n0GIHES2UVfANq9k6hU6cb588kVYE8w> <xmx:mJ7VYgjChrzBqP6_CWlTHwxlW9fMy8rK6C7MygOFSQo9VJJvm5wiJQ> <xmx:mJ7VYmRSKIolE9ztsIwGUgkUpt37kRGCU1C89ENwdrUnkj5FwCapAA>
Feedback-ID: i24394279:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 18 Jul 2022 13:55:35 -0400 (EDT)
Message-ID: <73b662b2-5aba-0b32-12cd-80ffa5cd1fd5@stpeter.im>
Date: Mon, 18 Jul 2022 11:55:34 -0600
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.11.0
Content-Language: en-US
From: Peter Saint-Andre <stpeter@stpeter.im>
To: Robert Wilton <rwilton@cisco.com>, The IESG <iesg@ietf.org>
Cc: draft-ietf-uta-rfc7525bis@ietf.org, uta-chairs@ietf.org, uta@ietf.org, leifj@sunet.se
References: <165779144446.10023.16857085823147739769@ietfa.amsl.com> <799e5773-9fa4-b06a-38d1-138c43c5cfd9@stpeter.im>
In-Reply-To: <799e5773-9fa4-b06a-38d1-138c43c5cfd9@stpeter.im>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/OIo5l4jDI3mBgLPm1E1jXCjVXkA>
Subject: Re: [Uta] Robert Wilton's Discuss on draft-ietf-uta-rfc7525bis-09: (with DISCUSS and COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jul 2022 17:55:41 -0000

Hi Rob, I'm circling back to an earlier point in the thread to cover all 
of the issues. (Thomas and I just discussed these topics, but Yaron was 
not able to join our call because of illness.)

On 7/14/22 9:06 AM, Peter Saint-Andre wrote:
> Hi Robert, thanks for the review. Comments inline.
> 
> On 7/14/22 3:37 AM, Robert Wilton via Datatracker wrote:
>> Robert Wilton has entered the following ballot position for
>> draft-ietf-uta-rfc7525bis-09: Discuss
>>
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>>
>>
>> Please refer to 
>> https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ 
>>
>> for more information about how to handle DISCUSS and COMMENT positions.
>>
>>
>> The document, along with other ballot positions, can be found here:
>> https://datatracker.ietf.org/doc/draft-ietf-uta-rfc7525bis/
>>
>>
>>
>> ----------------------------------------------------------------------
>> DISCUSS:
>> ----------------------------------------------------------------------
>>
>> Hi,
>>
>> Thanks for this document, I think that it is a helpful update.  
>> Disclaimer, I'm
>> not a security expert, but I would like to discuss some of the RFC 2119
>> constraints that have been specified please:
>>
>> (1)
>> I find some of the 2119 language to be somewhat contradictory:
>>
>>    *  Implementations MUST NOT negotiate TLS version 1.1 [RFC4346].
>>
>>    *  Implementations MUST support TLS 1.2 [RFC5246] and MUST prefer to
>>       negotiate TLS version 1.2 over earlier versions of TLS.
>>
>> The second sentence implies that a TLS 1.2 is allowed to negotiate 
>> earlier
>> versions of TLS, but a previous statement indicates that this is not 
>> allowed.
>> A similar contradiction appears for DTLS:
>>
>>     *  Implementations MUST NOT negotiate DTLS version 1.0 [RFC4347].
>>
>>     *  Implementations MUST support DTLS 1.2 [RFC6347] and MUST prefer to
>>        negotiate DTLS version 1.2 over earlier versions of DTLS.
> 
> Based on other reviews, I think we already have a fix for this:
> 
> https://github.com/yaronf/I-D/pull/447/files

We've had further discussion about this and related topics, but my take 
is that if, as discussed later in the thread, we carve out QUIC from the 
general recommendations (because it is a special case) then the text in 
that PR should be appropriate for its intended purpose (it does not 
address the wider issue of changing TLS 1.3 to MUST and/or TLS 1.2 to 
SHOULD).

See also (re QUIC):

https://github.com/yaronf/I-D/pull/460

>> (2)
>>             *  New protocol designs that embed TLS mechanisms SHOULD 
>> use only TLS
>>                1.3 and SHOULD NOT use TLS 1.2; for instance, QUIC 
>> [RFC9001]) took
>>                this approach.  As a result, implementations of such 
>> newly-
>>                developed protocols SHOULD support TLS 1.3 only with no
>>                negotiation of earlier versions.
>>
>> Why is this only a SHOULD and not a MUST?  If a new protocol (rather 
>> than an
>> updated version of an existing protocol) was being designed why would 
>> it be
>> reasonable to design it to support TLS 1.2?  If you want to keep these as
>> SHOULD rather than MUSTs then please can the document specify under what
>> circumstances it would be reasonable for a new protocol design to use 
>> TLS 1.2.
> 
> Although personally I'm open to MUST here, I'd like to discuss that with 
> my co-authors (one of whom is offline this week).

Unfortunately Yaron was not able to join our call, but Thomas and I 
discussed it and we think there could be two different cases:

(a) new security-focused protocols such as QUIC

(b) new application protocols (say, for real-time collaboration)

For (a), it definitely makes sense to use TLS 1.3 only (as noted in the 
current text, QUIC uses the TLS handshake protocol with a different 
record layer).

For (b), we see reasons why it might make sense to build on top of both 
TLS 1.2 and TLS 1.3 at the present time: for instance, implementations 
might want to "cast a wide net" in terms of underlying library or 
operating support and thus avoid the significant effort involved in 
building a secure transport protocol such as QUIC. Naturally, this 
advice will probably change in 7525ter a few years from now.

>> (3)
>>                                                             When TLS-only
>>        communication is available for a certain protocol, it MUST be used
>>        by implementations and MUST be configured by administrators.  When
>>        a protocol only supports dynamic upgrade, implementations MUST
>>        provide a strict local policy (a policy that forbids use of
>>        plaintext in the absence of a negotiated TLS channel) and
>>        administrators MUST use this policy.
>>
>> The MUSTs feel too strong here, since there are surely deployments and 
>> streams
>> of data where encryption, whilst beneficial, isn't an absolute 
>> requirement?
>>
>> In addition "MUST be used by implementations and MUST be configured by
>> administrators" also seem to conflict, i.e., if the implementation 
>> must use it
>> then why would an administrator have to enable it?
> 
> I believe this is a duplicate of an issue that other folks have already 
> raised:
> 
> https://github.com/yaronf/I-D/issues/437

At https://github.com/yaronf/I-D/pull/461 I'm proposing the following text:

###

When TLS-only communication is available for a certain protocol, it MUST 
be supported by implementations and MUST be configured by administrators 
in preference to a dynamic upgrade method. When a protocol only supports 
dynamic upgrade, implementations MUST provide a way for administrators 
to set a strict local policy that forbids use of plaintext in the 
absence of a negotiated TLS channel, and administrators MUST use this 
policy.

###

> 
>> (4)
>>     When using RSA, servers MUST authenticate using certificates with at
>>     least a 2048-bit modulus for the public key.  In addition, the use of
>>     the SHA-256 hash algorithm is RECOMMENDED and SHA-1 or MD5 MUST NOT
>>     be used ([RFC9155], and see [CAB-Baseline] for more details).
>>
>> So, for clarity, this would presumably mean that SHA-256 is also 
>> preferred over
>> say SHA-512?  Is that the intention?  Or would it be better if the SHOULD
>> allowed stronger ciphers?
> 
> I think we should probably say "SHA-256 or stronger", but again I'd like 
> to see what my co-authors think.

See separate note by Thomas Fossati.

Peter

v2.23.0 | Report a Bug | By Email