IETF Logo Mail Archive

Re: [Uta] Reviews requested - draft-ietf-uta-ciphersuites-in-sec-syslog

Chris Lonvick <lonvick.ietf@gmail.com> Wed, 20 September 2023 15:56 UTC

Return-Path: <lonvick.ietf@gmail.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F00AAC151061 for <uta@ietfa.amsl.com>; Wed, 20 Sep 2023 08:56:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HKcXoOFPXZd0 for <uta@ietfa.amsl.com>; Wed, 20 Sep 2023 08:56:12 -0700 (PDT)
Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AC56C14CE51 for <uta@ietf.org>; Wed, 20 Sep 2023 08:56:12 -0700 (PDT)
Received: by mail-ej1-x62b.google.com with SMTP id a640c23a62f3a-9ad8a822508so902222166b.0 for <uta@ietf.org>; Wed, 20 Sep 2023 08:56:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1695225371; x=1695830171; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=fPLVBUnVIsxiRHSsS3dH/0tSJkm5Tm7jo6nNCNWD/lg=; b=VDWEN6gNBZgf9+G9yoDY9jH9hPFGSUm0koUcqQ81GwB3bV2CSJ1fWlQrGH6GylEf3U UJhxfFqqz7AJOTaCvIsFBRjRa1PeeRXjD9rlP/vqAuySn6HkihXfxZ2z0gM0MZaMi6Nf CRQHaMR1Szvuq4UMolRXdSmwJEut0gp4vvvSng4eHs/QfMLKsr8cjwn90jrUgZ83J9oC VruKYuWpbsKe7jYgFtSh9lHZCUVOY8YRY8V6hAjvOwmka55d6vjmeC4cY86MMa6RpSIW kjQK/+v5QP/iewDdCCwx0pJkhk04k6Wib2JW9+3KOBe+sqZhmzLGUY5l/R40suy01ztm BgBQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695225371; x=1695830171; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=fPLVBUnVIsxiRHSsS3dH/0tSJkm5Tm7jo6nNCNWD/lg=; b=ZCamsTEQDL4zlLwJWDTJRQ3u1U+1vMq9PlfW4FkslG9uk2KVTSYL+P0jjCOBoFYoWY yemmaJBqO6BBZJzAxWG6Ndg90SDO12oIQtp/oL4Yh7brx6zSiDK80QbD78ZTFlcUfPkW NBkUHjgH8wu7ODCe1cNmVtTB1YrTLDOcV4kCAeN52jpv/FQwx/vLxkg/R9Kl50kcIl+q 4PaOkQtCKvZVH9eLrAISV0bn2O8lUTxoFfngbHtgFx4osmmO5aOjAD5t664ZlSKS6Ht/ 4jkSfkuQi49wibXDeaHZgXtsiRwiANIC8+5SfmUTCPmlHyHqAzJpPcywkYNg/vaxpn4B cNvg==
X-Gm-Message-State: AOJu0YxqX6iacizA+lm2NdYpau1Y5XnbQ0pue82XFbYEVzrmoDctZyFP 9QIeLypOQWEJxwikJFrMNEIh+xY/mAs071pJ6V67/VHn
X-Google-Smtp-Source: AGHT+IGr9t6hWbj1vVp8xoPLx54B0p0aAo01Gt+z78zx2ZPHR/40JRRmGKXUkHlUwjjE4WqzwrtCN30FalvF403/jmk=
X-Received: by 2002:a17:906:3158:b0:9a1:c44d:7056 with SMTP id e24-20020a170906315800b009a1c44d7056mr2751416eje.26.1695225370571; Wed, 20 Sep 2023 08:56:10 -0700 (PDT)
MIME-Version: 1.0
References: <CADPQ2UH81rQSbLhfZMCm9o_KZysWXpBhESS7Bv53XRL=ifUSaA@mail.gmail.com> <ZPC0qrEEdwsFeQBt@straasha.imrryr.org> <CADPQ2UEjj-xCkeVwF0P1uwgGxzc++8knmTQpc3fDBzdhxxBE-Q@mail.gmail.com> <ZQenRxD6q0MfQ007@straasha.imrryr.org> <CADPQ2UH05fLLokq1a=W25sNNU2WmG1JRH_7ymNDruVrEeKo_mw@mail.gmail.com> <ZQnOyC5EXX8We50T@straasha.imrryr.org>
In-Reply-To: <ZQnOyC5EXX8We50T@straasha.imrryr.org>
From: Chris Lonvick <lonvick.ietf@gmail.com>
Date: Wed, 20 Sep 2023 11:55:58 -0400
Message-ID: <CADPQ2UGdNfZhFmBzBatGz-fBjx=QVpxPebLU2izFe_opS6jxvw@mail.gmail.com>
To: uta@ietf.org
Content-Type: multipart/alternative; boundary="00000000000006f9bb0605cc6afc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/WaA75R04UvmA4_ws-4MuSO8GrC0>
Subject: Re: [Uta] Reviews requested - draft-ietf-uta-ciphersuites-in-sec-syslog
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Sep 2023 15:56:13 -0000

Hi Viktor,

That works for me. I'll wait for the Chairs to ask for a new version before
publishing.

Best regards,
Chris

On Tue, Sep 19, 2023 at 12:39 PM Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

> On Tue, Sep 19, 2023 at 07:25:51AM -0400, Chris Lonvick wrote:
>
> > I think that the changes to Sections 4 and 5 should be limited to
> > replacing "MUST NOT" with "SHOULD NOT". That will provide clear
> > guidance for implementers.
> >
> > I was then thinking of changing the Security Considerations section to
> the
> > following:
> > ---vvv---
> > 10.  Security Considerations
> >
> >    [BCP195] deprecates an insecure DTLS transport protocol from
> >    [RFC6012] and deprecates insecure cipher suits from [RFC5425] and
> >    [RFC6012].  This document specifies mandatory to implement cipher
> >    suites to those RFCs and the latest version of the DTLS protocol to
> >    [RFC6012].
>
> The above reads a bit clumsy, perhaps something along the lines of:
>
>     OLD: This document specifies mandatory to implement cipher
>          suites to those RFCs and the latest version of the DTLS
>          protocol to [RFC6012].
>
>     NEW: This document updates the mandatory to implement cipher
>          suites to conform with those RFCs and the latest version
>          of the DTLS protocol [RFC6012].
>
> >    The insecure cipher suites SHOULD NOT be offered.  If a device
> >    currently only has an insecure cipher suite, an administrator of the
> >    network should evaluate the conditions and determine if the insecure
> >    cipher suite should be allowed so that syslog messages may continue
> >    to be delivered until the device is updated to have a secure cipher
> >    suite.
> > ---^^^---
> >
> > Please comment and suggest any further edits for WG review.
>
> Module word-smithing, this is generally acceptable.  Prohibition of the
> weaker code points, rather than promotion of their replacements isn't
> [RFC7435] my most preferred approach to improving security, but it'll
> have to do when consensus that raising the ceiling will suffice is not
> within reach.  Thanks for taking my comments into consideration.
>
> --
>     Viktor.
>
> _______________________________________________
> Uta mailing list
> Uta@ietf.org
> https://www.ietf.org/mailman/listinfo/uta
>

v2.23.0 | Report a Bug | By Email