IETF Logo Mail Archive

Re: [Uta] Robert Wilton's Discuss on draft-ietf-uta-rfc7525bis-09: (with DISCUSS and COMMENT)

Martin Thomson <mt@lowentropy.net> Fri, 15 July 2022 20:37 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4C41C157B4A; Fri, 15 Jul 2022 13:37:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=pEYyA2eV; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=kAKd/geo
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x_JP4hxCKbSa; Fri, 15 Jul 2022 13:37:54 -0700 (PDT)
Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com [64.147.123.24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04DE6C157908; Fri, 15 Jul 2022 13:37:53 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 83D1632009D5; Fri, 15 Jul 2022 16:37:48 -0400 (EDT)
Received: from imap41 ([10.202.2.91]) by compute3.internal (MEProxy); Fri, 15 Jul 2022 16:37:49 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:cc:content-transfer-encoding:content-type:date:date:from :from:in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm1; t=1657917468; x= 1658003868; bh=8u/jWIu/Hz3mCoMpei2pIFW4/4eAbD6t0ubknAuZyzY=; b=p EYyA2eVEfIvRzpw+UUowwUobS4qQCmSW/g/0gJej9ZFf0SRxt141wYTgnZct8Ch9 m7wumM9M2zTirI0UBWr1EfELCJHMuQtRl0USvplReAJzC6dCe2WWZ2m/4Yok3n4F Py6PK2cgqmLEJp4HbHzBWZ/i39qdBkyQ4mKz9kNFQR76CQb4vPro96ka25RgLkjn 6DEkeLuYJoHfMNHcPWKBDUSwciCWvZR1i4GKpImaCRqNeYSsDsAYywd1UbPZt82V IYNDnPBoNvIWkGltCAqAn/H04lE1j5cWrOBPq5f9r6dJObAgcciaNAbp2LLUuP2/ S+wPFbeX7qpm8JjmSgrHw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1657917468; x= 1658003868; bh=8u/jWIu/Hz3mCoMpei2pIFW4/4eAbD6t0ubknAuZyzY=; b=k AKd/geoFgI4wbwVPTlrXKr2ifZWXnkwyAO2MiDeuV5+RtJo47AaX8bg4t/o9iN0M +93V7e5idCFXJour7QSrXIoudZ4B9pFuzeUM2EdAjWtlk9zsAWm7uuuDdusdFxPl TRQYXsOOgjpznySW0Ru/RhEAPa8FVr44wRx9FDeMM8L+xyKhcQl/PESw8zKdXq3e PPPKtIDIHJe+jRYnEtuzo5jHeXC1/XYHYmxJkhIZgNjvOXbbYR9RSARDyDkE+Z3w xn4mNpXw765S7+hurmNNeWs2pMffDCwYsbRJkQ8mbwaq+IBod6BleinHpfCb935z Lt/R0QAjQFtg28QryRFlg==
X-ME-Sender: <xms:G9DRYqHGUslsmNQr1JJwS9Eu-b4q1ylcB64ZUnvLRt_mXBT3Z76dsQ> <xme:G9DRYrVUFRnlqsWXWldaJVFRJQsiSvYTAW4KYmpSiQa9A8uezG7aFshIJgwB6ObCJ 10ggqkOdirjyO6Y5lo>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrudekuddgudehgecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefofgggkfgjfhffhffvvefutgfgsehtqhertderreejnecuhfhrohhmpedf ofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhhofigvnhhtrhhophihrdhnvghtqe enucggtffrrghtthgvrhhnpeejtddvkeegiefhtddvffffheeiteegvdetleefieetieei udekgeegieektedujeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrih hlfhhrohhmpehmtheslhhofigvnhhtrhhophihrdhnvght
X-ME-Proxy: <xmx:G9DRYkIHbNzW6es2xZHJ8deX1dUgfzrrIVwv4aSZzoHQMbaoEHl2cA> <xmx:G9DRYkHPPxp1X34FPdGSEF0m5X18IGdYo3L_dxAQVajHDFcND_q6bg> <xmx:G9DRYgVpjyviRk2tTfeKDRSBVpIBbtgDP5IwEA8h6QKXzcM2AB6bIA> <xmx:HNDRYuxyBdWfR11_lRyKI5QI41wtnGYg5iueGdXa97vkYOK9uPdE-w>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 8C86B2340077; Fri, 15 Jul 2022 16:37:47 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.7.0-alpha0-755-g3e1da8b93f-fm-20220708.002-g3e1da8b9
Mime-Version: 1.0
Message-Id: <e91c06c6-037e-4ffd-ad17-37879df24e1b@www.fastmail.com>
In-Reply-To: <aef823f3-f3ab-4b17-811e-45bbcadce342@stpeter.im>
References: <165779144446.10023.16857085823147739769@ietfa.amsl.com> <799e5773-9fa4-b06a-38d1-138c43c5cfd9@stpeter.im> <BY5PR11MB4196858D743ADDF0058AEEF6B58B9@BY5PR11MB4196.namprd11.prod.outlook.com> <aef823f3-f3ab-4b17-811e-45bbcadce342@stpeter.im>
Date: Sat, 16 Jul 2022 06:37:27 +1000
From: Martin Thomson <mt@lowentropy.net>
To: Peter Saint-Andre <stpeter@stpeter.im>, "Rob Wilton (rwilton)" <rwilton@cisco.com>, The IESG <iesg@ietf.org>
Cc: "draft-ietf-uta-rfc7525bis@ietf.org" <draft-ietf-uta-rfc7525bis@ietf.org>, "uta-chairs@ietf.org" <uta-chairs@ietf.org>, "uta@ietf.org" <uta@ietf.org>, "leifj@sunet.se" <leifj@sunet.se>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/RRXpOkVkL7OT5ydyhcpt0s7T288>
Subject: Re: [Uta] Robert Wilton's Discuss on draft-ietf-uta-rfc7525bis-09: (with DISCUSS and COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jul 2022 20:37:58 -0000

On Sat, Jul 16, 2022, at 06:01, Peter Saint-Andre wrote:
>> Shouldn’t this be "Implementations MUST support TLS 1.2 {{!RFC5246}} or a later version"?  Otherwise, protocols like QUIC would presumably not be compliant with this BCP if they only support TLS 1.3?  Or alternatively, this could probably be stated as "Implementations MAY support TLS 1.2 {{!RFC5246}}".
>
> The implementations we've always had in mind for this document are 
> TLS/DTLS implementations, not implementations of protocols that re-use 
> TLS/DTLS in whole or in part (e.g. QUIC re-uses the handshake protocol 
> but not the record layer). However, that's not crystal clear in the 
> document because we only recently started mentioning QUIC. I'll talk 
> with my co-authors about this when we next have a chance to meet 
> regarding all the recent feedback.

I think that you are right to be cautious here.  What you want to have happen is interoperability.  If you say 1.2 or later, then there is a risk of some implementations doing 1.2 only and some doing 1.3 only, then you lose the ability to communicate.

I think that you might benefit from putting QUIC out of scope, except to note that some of the advice is applicable to QUIC insofar as it uses the TLS (1.3) handshake.

v2.23.0 | Report a Bug | By Email