IETF Logo Mail Archive

Re: [Uta] Adoption call for draft-sheffer-uta-rfc7525bis-00

Peter Gutmann <pgut001@cs.auckland.ac.nz> Mon, 04 May 2020 01:27 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 830E53A0AF3 for <uta@ietfa.amsl.com>; Sun, 3 May 2020 18:27:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4xiShK5jdZEz for <uta@ietfa.amsl.com>; Sun, 3 May 2020 18:27:40 -0700 (PDT)
Received: from mx4-int.auckland.ac.nz (mx4-int.auckland.ac.nz [130.216.125.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E9813A0AF1 for <uta@ietf.org>; Sun, 3 May 2020 18:27:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1588555661; x=1620091661; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=wLl9HyLi5YU8ToViE6pHv84z2FtSNG7pfRKH7E7i5Aw=; b=BP82WLgHxZzW0F2oCoG4RWQaaCDRqMqSeDhEfMNjQE9mwpa5a514z/WW 2DJwXlHuo2rjr1HohjviJ7wqVhF0YnnO3CRGZDhSW8ReZS5F8LS+cYkvf ID5ACOzQTM9GpF6xY2t7PrdFmVenySZ8AcLcsvY6QgvKiyv7JEOmZ7AUo Jdkm5M0mKF8NU5W0EpWv03OtWrThPxhPvTpVeg9Zhd1Z/CHIfFoxm1Fef aFtoYnrBaU3BnlyL9XvuZkrNXWZyhPGbtjMzI2KObqZmkPmY5tDdBRyCU U7Eohoasiq/qkdQJQ7pHcZ90p5VGrG6AVllqMaL7P2gbxS66psiAhVYu/ g==;
X-IronPort-AV: E=Sophos;i="5.73,350,1583146800"; d="scan'208";a="132110734"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.2.4 - Outgoing - Outgoing
Received: from uxcn13-ogg-c.uoa.auckland.ac.nz ([10.6.2.4]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 04 May 2020 13:27:37 +1200
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-ogg-c.UoA.auckland.ac.nz (10.6.2.4) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 4 May 2020 13:27:36 +1200
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.5]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.5]) with mapi id 15.00.1497.006; Mon, 4 May 2020 13:27:36 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Keith Moore <moore@network-heretics.com>, Eric Rescorla <ekr@rtfm.com>
CC: "uta@ietf.org" <uta@ietf.org>
Thread-Topic: [Uta] Adoption call for draft-sheffer-uta-rfc7525bis-00
Thread-Index: AdYbqruDrxIIwGBeQv2alJRE5Gx0tgDVSlkAACmLaIAAWTWCPQAD50mAAARWu4AAIcsQwQ==
Date: Mon, 04 May 2020 01:27:35 +0000
Message-ID: <1588555658305.4310@cs.auckland.ac.nz>
References: <004801d61bae$08a61590$19f240b0$@smyslov.net> <dfe39508-b37a-f008-91d3-cb36bcb84ae1@network-heretics.com> <CABcZeBP0_Jq1v9j5pDL4Ne_+5CyXuimJq90MLGzNME9zoHh2bw@mail.gmail.com> <1588483587138.67307@cs.auckland.ac.nz> <CABcZeBMne-vyoToMdgbxQZTY2kwT5fdbDDs4i-mhUnmXgtDqLw@mail.gmail.com>, <ad7e40f0-b426-2dcd-9e23-cb54252ca7db@network-heretics.com>
In-Reply-To: <ad7e40f0-b426-2dcd-9e23-cb54252ca7db@network-heretics.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/aI1xiWLP6LjdtMKETzafNnPZisY>
Subject: Re: [Uta] Adoption call for draft-sheffer-uta-rfc7525bis-00
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 May 2020 01:27:42 -0000

Keith Moore <moore@network-heretics.com> writes:

>It can be expensive to upgrade devices in some industrial applications.

For the specific TLS implementation I was referring to in that post, upgrades
have to be scheduled years in advance for each site, and for the next upgrade
round, in 2030, will probably mean replacing the hardware to allow the cost of
a site visit to be amortised.  You do it once and you do it right.

For other implementations it's a bit less problematic, but upgrades still
require a site visit, shutting down major production processes, and spending
possibly several hours updating and re-commissioning each piece of equipment.

>For the smart ones (they're not all smart, of course) this translates into a
>greater emphasis on minimizing complexity, product stability, and getting
>things right the first time.

That's the case in many of the systems I've reviewed, they're designed to have
a downtime of never so you need to do it right.  This is also why they ignore
certs, or at least memcpy() a fixed blob into the right place in the
handshake, they're a means of bundling up a key, not a built-in DoS on the
device.

Peter.

v2.23.0 | Report a Bug | By Email