[Uta] Fwd: Last Call: <draft-elie-nntp-tls-recommendations-01.txt> (Use of Transport Layer Security (TLS) in the Network News Transfer Protocol (NNTP)) to Proposed Standard
Julien ÉLIE <julien@trigofacile.com> Mon, 28 November 2016 21:39 UTC
Return-Path: <julien@trigofacile.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DF01129EA7 for <uta@ietfa.amsl.com>; Mon, 28 Nov 2016 13:39:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.401
X-Spam-Level:
X-Spam-Status: No, score=-1.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_SORBS_SPAM=0.5] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r91bQvdmPQ1m for <uta@ietfa.amsl.com>; Mon, 28 Nov 2016 13:39:23 -0800 (PST)
Received: from smtp.smtpout.orange.fr (smtp01.smtpout.orange.fr [80.12.242.123]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2E7D12945D for <uta@ietf.org>; Mon, 28 Nov 2016 13:39:22 -0800 (PST)
Received: from macbook-pro-de-julien-elie.home ([92.170.5.52]) by mwinf5d02 with ME id DZfL1u00M17Lgi403ZfL7z; Mon, 28 Nov 2016 22:39:20 +0100
X-ME-Helo: macbook-pro-de-julien-elie.home
X-ME-Auth: anVsaWVuLmVsaWU0ODdAd2FuYWRvby5mcg==
X-ME-Date: Mon, 28 Nov 2016 22:39:20 +0100
X-ME-IP: 92.170.5.52
References: <148035153084.5510.13278742493736503746.idtracker@ietfa.amsl.com>
To: uta@ietf.org
From: Julien ÉLIE <julien@trigofacile.com>
Organization: TrigoFACILE -- http://www.trigofacile.com/
X-Forwarded-Message-Id: <148035153084.5510.13278742493736503746.idtracker@ietfa.amsl.com>
Message-ID: <7dc9554d-e8b6-4b8a-e161-425767065ce5@trigofacile.com>
Date: Mon, 28 Nov 2016 22:39:20 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.5.0
MIME-Version: 1.0
In-Reply-To: <148035153084.5510.13278742493736503746.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/YL151B2MQZXW23iSpQrUHcbpY70>
Subject: [Uta] Fwd: Last Call: <draft-elie-nntp-tls-recommendations-01.txt> (Use of Transport Layer Security (TLS) in the Network News Transfer Protocol (NNTP)) to Proposed Standard
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Nov 2016 21:39:25 -0000
Hi all, Last year, we spoke about a possible refresh of RFC 4642 (TLS with NNTP) to be consistent with the latest published RFCs about TLS, notably UTA BCP 195. I based my work on RFC 7590 (TLS with XMPP). In case you have any comments about the following document, that is now in Last Call stage, please tell. https://tools.ietf.org/html/draft-elie-nntp-tls-recommendations-01 Thanks beforehand for your review! I have especially two questions for UTA (Appendix E): 1/ Should the following paragraph in Section 2.2.2 of [RFC4642] remain as-is or should it be modernized with another wording? (And which one? or is it already done by the reference to [RFC7525]?) > Quoting [RFC4642]: Servers MUST be able to understand backwards-compatible TLS Client Hello messages (provided that client_version is TLS 1.0 or later), and clients MAY use backwards-compatible Client Hello messages. Neither clients nor servers are required to actually support Client Hello messages for anything other than TLS 1.0. However, the TLS extension for Server Name Indication ("server_name") [TLS-EXT] SHOULD be implemented by all clients; it also SHOULD be implemented by any server implementing STARTTLS that is known by multiple names. (Otherwise, it is not possible for a server with several hostnames to present the correct certificate to the client.) 2/ Should the paragraphs in Section 5 of [RFC4642] dealing with how the client checks the server hostname and the binding between the identity of servers and the public keys presented be modernized? (Obsolete them in favour of [RFC6125] for instance? or maybe [RFC7525] is enough as it also points to [RFC6125]) > Quoting [RFC4642]: During the TLS negotiation, the client MUST check its understanding of the server hostname against the server's identity as presented in the server Certificate message, in order to prevent man-in-the-middle attacks. Matching is performed according to these rules: - The client MUST use the server hostname it used to open the connection (or the hostname specified in TLS "server_name" extension [TLS-EXT]) as the value to compare against the server name as expressed in the server certificate. The client MUST NOT use any form of the server hostname derived from an insecure remote source (e.g., insecure DNS lookup). CNAME canonicalization is not done. - If a subjectAltName extension of type dNSName is present in the certificate, it SHOULD be used as the source of the server's identity. - Matching is case-insensitive. - A "*" wildcard character MAY be used as the left-most name component in the certificate. For example, *.example.com would match a.example.com, foo.example.com, etc., but would not match example.com. - If the certificate contains multiple names (e.g., more than one dNSName field), then a match with any one of the fields is considered acceptable. If the match fails, the client SHOULD either ask for explicit user confirmation or terminate the connection with a QUIT command and indicate the server's identity is suspect. Additionally, clients MUST verify the binding between the identity of the servers to which they connect and the public keys presented by those servers. Clients SHOULD implement the algorithm in Section 6 of [PKI-CERT] for general certificate validation, but MAY supplement that algorithm with other validation methods that achieve equivalent levels of verification (such as comparing the server certificate against a local store of already-verified certificates and identity bindings). -- Julien ÉLIE « Ça n'a été qu'un coup de glaive dans l'eau. » (Astérix) -------- Message transféré -------- Sujet : Last Call: <draft-elie-nntp-tls-recommendations-01.txt> (Use of Transport Layer Security (TLS) in the Network News Transfer Protocol (NNTP)) to Proposed Standard Date : Mon, 28 Nov 2016 08:45:30 -0800 De : The IESG Pour : IETF-Announce The IESG has received a request from an individual submitter to consider the following document: - 'Use of Transport Layer Security (TLS) in the Network News Transfer Protocol (NNTP)' <draft-elie-nntp-tls-recommendations-01.txt> as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2016-12-26. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document provides recommendations for improving the security of the Network News Transfer Protocol (NNTP) when using Transport Layer Security (TLS). It modernizes the NNTP usage of TLS to be consistent with TLS best current practices. If approved, this document updates RFC 4642. The file can be obtained via https://datatracker.ietf.org/doc/draft-elie-nntp-tls-recommendations/ IESG discussion can be tracked via https://datatracker.ietf.org/doc/draft-elie-nntp-tls-recommendations/ballot/ No IPR declarations have been submitted directly on this I-D.
- [Uta] Fwd: Last Call: <draft-elie-nntp-tls-recomm… Julien ÉLIE
- Re: [Uta] Fwd: Last Call: <draft-elie-nntp-tls-re… Julien ÉLIE