Re: [Uta] Reviews requested - draft-ietf-uta-ciphersuites-in-sec-syslog
Chris Lonvick <lonvick.ietf@gmail.com> Wed, 20 September 2023 15:56 UTC
Return-Path: <lonvick.ietf@gmail.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F00AAC151061 for <uta@ietfa.amsl.com>; Wed, 20 Sep 2023 08:56:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HKcXoOFPXZd0 for <uta@ietfa.amsl.com>; Wed, 20 Sep 2023 08:56:12 -0700 (PDT)
Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AC56C14CE51 for <uta@ietf.org>; Wed, 20 Sep 2023 08:56:12 -0700 (PDT)
Received: by mail-ej1-x62b.google.com with SMTP id a640c23a62f3a-9ad8a822508so902222166b.0 for <uta@ietf.org>; Wed, 20 Sep 2023 08:56:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1695225371; x=1695830171; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=fPLVBUnVIsxiRHSsS3dH/0tSJkm5Tm7jo6nNCNWD/lg=; b=VDWEN6gNBZgf9+G9yoDY9jH9hPFGSUm0koUcqQ81GwB3bV2CSJ1fWlQrGH6GylEf3U UJhxfFqqz7AJOTaCvIsFBRjRa1PeeRXjD9rlP/vqAuySn6HkihXfxZ2z0gM0MZaMi6Nf CRQHaMR1Szvuq4UMolRXdSmwJEut0gp4vvvSng4eHs/QfMLKsr8cjwn90jrUgZ83J9oC VruKYuWpbsKe7jYgFtSh9lHZCUVOY8YRY8V6hAjvOwmka55d6vjmeC4cY86MMa6RpSIW kjQK/+v5QP/iewDdCCwx0pJkhk04k6Wib2JW9+3KOBe+sqZhmzLGUY5l/R40suy01ztm BgBQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695225371; x=1695830171; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=fPLVBUnVIsxiRHSsS3dH/0tSJkm5Tm7jo6nNCNWD/lg=; b=ZCamsTEQDL4zlLwJWDTJRQ3u1U+1vMq9PlfW4FkslG9uk2KVTSYL+P0jjCOBoFYoWY yemmaJBqO6BBZJzAxWG6Ndg90SDO12oIQtp/oL4Yh7brx6zSiDK80QbD78ZTFlcUfPkW NBkUHjgH8wu7ODCe1cNmVtTB1YrTLDOcV4kCAeN52jpv/FQwx/vLxkg/R9Kl50kcIl+q 4PaOkQtCKvZVH9eLrAISV0bn2O8lUTxoFfngbHtgFx4osmmO5aOjAD5t664ZlSKS6Ht/ 4jkSfkuQi49wibXDeaHZgXtsiRwiANIC8+5SfmUTCPmlHyHqAzJpPcywkYNg/vaxpn4B cNvg==
X-Gm-Message-State: AOJu0YxqX6iacizA+lm2NdYpau1Y5XnbQ0pue82XFbYEVzrmoDctZyFP 9QIeLypOQWEJxwikJFrMNEIh+xY/mAs071pJ6V67/VHn
X-Google-Smtp-Source: AGHT+IGr9t6hWbj1vVp8xoPLx54B0p0aAo01Gt+z78zx2ZPHR/40JRRmGKXUkHlUwjjE4WqzwrtCN30FalvF403/jmk=
X-Received: by 2002:a17:906:3158:b0:9a1:c44d:7056 with SMTP id e24-20020a170906315800b009a1c44d7056mr2751416eje.26.1695225370571; Wed, 20 Sep 2023 08:56:10 -0700 (PDT)
MIME-Version: 1.0
References: <CADPQ2UH81rQSbLhfZMCm9o_KZysWXpBhESS7Bv53XRL=ifUSaA@mail.gmail.com> <ZPC0qrEEdwsFeQBt@straasha.imrryr.org> <CADPQ2UEjj-xCkeVwF0P1uwgGxzc++8knmTQpc3fDBzdhxxBE-Q@mail.gmail.com> <ZQenRxD6q0MfQ007@straasha.imrryr.org> <CADPQ2UH05fLLokq1a=W25sNNU2WmG1JRH_7ymNDruVrEeKo_mw@mail.gmail.com> <ZQnOyC5EXX8We50T@straasha.imrryr.org>
In-Reply-To: <ZQnOyC5EXX8We50T@straasha.imrryr.org>
From: Chris Lonvick <lonvick.ietf@gmail.com>
Date: Wed, 20 Sep 2023 11:55:58 -0400
Message-ID: <CADPQ2UGdNfZhFmBzBatGz-fBjx=QVpxPebLU2izFe_opS6jxvw@mail.gmail.com>
To: uta@ietf.org
Content-Type: multipart/alternative; boundary="00000000000006f9bb0605cc6afc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/WaA75R04UvmA4_ws-4MuSO8GrC0>
Subject: Re: [Uta] Reviews requested - draft-ietf-uta-ciphersuites-in-sec-syslog
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Sep 2023 15:56:13 -0000
Hi Viktor, That works for me. I'll wait for the Chairs to ask for a new version before publishing. Best regards, Chris On Tue, Sep 19, 2023 at 12:39 PM Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > On Tue, Sep 19, 2023 at 07:25:51AM -0400, Chris Lonvick wrote: > > > I think that the changes to Sections 4 and 5 should be limited to > > replacing "MUST NOT" with "SHOULD NOT". That will provide clear > > guidance for implementers. > > > > I was then thinking of changing the Security Considerations section to > the > > following: > > ---vvv--- > > 10. Security Considerations > > > > [BCP195] deprecates an insecure DTLS transport protocol from > > [RFC6012] and deprecates insecure cipher suits from [RFC5425] and > > [RFC6012]. This document specifies mandatory to implement cipher > > suites to those RFCs and the latest version of the DTLS protocol to > > [RFC6012]. > > The above reads a bit clumsy, perhaps something along the lines of: > > OLD: This document specifies mandatory to implement cipher > suites to those RFCs and the latest version of the DTLS > protocol to [RFC6012]. > > NEW: This document updates the mandatory to implement cipher > suites to conform with those RFCs and the latest version > of the DTLS protocol [RFC6012]. > > > The insecure cipher suites SHOULD NOT be offered. If a device > > currently only has an insecure cipher suite, an administrator of the > > network should evaluate the conditions and determine if the insecure > > cipher suite should be allowed so that syslog messages may continue > > to be delivered until the device is updated to have a secure cipher > > suite. > > ---^^^--- > > > > Please comment and suggest any further edits for WG review. > > Module word-smithing, this is generally acceptable. Prohibition of the > weaker code points, rather than promotion of their replacements isn't > [RFC7435] my most preferred approach to improving security, but it'll > have to do when consensus that raising the ceiling will suffice is not > within reach. Thanks for taking my comments into consideration. > > -- > Viktor. > > _______________________________________________ > Uta mailing list > Uta@ietf.org > https://www.ietf.org/mailman/listinfo/uta >
- [Uta] Reviews requested - draft-ietf-uta-ciphersu… Chris Lonvick
- Re: [Uta] Reviews requested - draft-ietf-uta-ciph… Salz, Rich
- Re: [Uta] Reviews requested - draft-ietf-uta-ciph… Fries, Steffen
- Re: [Uta] Reviews requested - draft-ietf-uta-ciph… Viktor Dukhovni
- Re: [Uta] Reviews requested - draft-ietf-uta-ciph… Orie Steele
- Re: [Uta] Reviews requested - draft-ietf-uta-ciph… Salz, Rich
- Re: [Uta] Reviews requested - draft-ietf-uta-ciph… Orie Steele
- Re: [Uta] Reviews requested - draft-ietf-uta-ciph… Chris Lonvick
- Re: [Uta] Reviews requested - draft-ietf-uta-ciph… Orie Steele
- Re: [Uta] Reviews requested - draft-ietf-uta-ciph… Ilari Liusvaara
- Re: [Uta] Reviews requested - draft-ietf-uta-ciph… Chris Lonvick
- Re: [Uta] Reviews requested - draft-ietf-uta-ciph… Hubert Kario
- Re: [Uta] Reviews requested - draft-ietf-uta-ciph… Chris Lonvick
- Re: [Uta] Reviews requested - draft-ietf-uta-ciph… Viktor Dukhovni
- Re: [Uta] Reviews requested - draft-ietf-uta-ciph… Chris Lonvick
- Re: [Uta] Reviews requested - draft-ietf-uta-ciph… Viktor Dukhovni
- Re: [Uta] Reviews requested - draft-ietf-uta-ciph… Chris Lonvick