Re: [Uta] Richard Barnes' Discuss on draft-ietf-uta-tls-bcp-09: (with DISCUSS and COMMENT)

Richard Barnes <rlb@ipv.sx> Fri, 20 February 2015 20:58 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25C781A879F for <uta@ietfa.amsl.com>; Fri, 20 Feb 2015 12:58:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZvEf-OoX0LbD for <uta@ietfa.amsl.com>; Fri, 20 Feb 2015 12:58:01 -0800 (PST)
Received: from mail-lb0-f180.google.com (mail-lb0-f180.google.com [209.85.217.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D69A31A8799 for <uta@ietf.org>; Fri, 20 Feb 2015 12:58:00 -0800 (PST)
Received: by lbjf15 with SMTP id f15so8583358lbj.13 for <uta@ietf.org>; Fri, 20 Feb 2015 12:57:59 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=n2z+ssGuUAgkK2s5rtJzF/g07mPa5uO+iOztSemaOcs=; b=LAB4n20ugXDpB7Oq6kl48KyTC5NwipbYVgc+foDMPq1dyyOqdJoy3FawTxyMvP3hPj NNWNGAfm4Xv1P23yDxweF6+AZkSKbCqn1V7by2nK+zoMeUFYxmClN8Su2CvGauundFx1 DFwfCuDi8dPMeWKZ571UjoskxsbnEro/YeIeLHF/oU1k+qnKLyK4+htqwznTCa0W4t3h n7e/SG0yCE0ZCdw0kNCIeS3oXOW/8srfF4PSSj4+CF51hOzkqZw0q9JoRzoRZSqaAqxt QxNf8exEnUlHr6DuQ3HIa2fJbKphkiipo4RcOYneRfrvic/H51nY0t814JV/1LQdqwHr ZWtA==
X-Gm-Message-State: ALoCoQltzpWmVPhvTbKdGAnzf5rLBJpZoKSOhhO6XkJnpnMi5NYWwFjZ3JU9SCEKgNfCB8MRh+q9
MIME-Version: 1.0
X-Received: by 10.112.26.165 with SMTP id m5mr10081099lbg.61.1424465879366; Fri, 20 Feb 2015 12:57:59 -0800 (PST)
Received: by 10.25.135.4 with HTTP; Fri, 20 Feb 2015 12:57:59 -0800 (PST)
In-Reply-To: <54E79C0A.1070801@andyet.net>
References: <20150219033433.10815.25308.idtracker@ietfa.amsl.com> <54E56454.7080307@andyet.net> <CAL02cgS+h2jkOChJkoCy7gHvFQEe22SRRAg5om00ZpiHCOi_2g@mail.gmail.com> <54E5B84C.9040400@cs.tcd.ie> <CAL02cgSem5aW+mhPED3C_5NTfA4YRhr5FSUD3+NnTE_t-8y6Gg@mail.gmail.com> <20150220042718.GR1260@mournblade.imrryr.org> <CA+K9O5QvmBDPhE1GNbnb+OqfWd3C+2Hyp=X2OCJWjpXFK9npNw@mail.gmail.com> <54E747EC.2020905@andyet.net> <CAL02cgR5C_ZQRVGKLCvWh9svqkv6q3DvkvieF7SksywinXeyEQ@mail.gmail.com> <54E7873A.9060301@cs.tcd.ie> <CAL02cgQ6FuRHt7o2f94jDDEQOFqzh_PCn_VHuFJY1q-sEaDTbg@mail.gmail.com> <54E7976B.7090604@qti.qualcomm.com> <54E79C0A.1070801@andyet.net>
Date: Fri, 20 Feb 2015 15:57:59 -0500
Message-ID: <CAL02cgQiTZWCNi=s=Sa7mu3K+CmPWkDRepQbsf-BjpaF1qF3VA@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Peter Saint-Andre - &yet <peter@andyet.net>
Content-Type: multipart/alternative; boundary="001a113366d4bc1dc8050f8b4ecb"
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/ao3pe96YdgEXp0FwYGkKr5nm90U>
Cc: "uta@ietf.org" <uta@ietf.org>, Pete Resnick <presnick@qti.qualcomm.com>, The IESG <iesg@ietf.org>, Ralph Holz <ralph.ietf@gmail.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [Uta] Richard Barnes' Discuss on draft-ietf-uta-tls-bcp-09: (with DISCUSS and COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Feb 2015 20:58:04 -0000

SGTM, except your use of "#" confused my mental Markdown parser :)

On Fri, Feb 20, 2015 at 3:41 PM, Peter Saint-Andre - &yet <peter@andyet.net>
wrote:

> On 2/20/15 1:22 PM, Pete Resnick wrote:
>
>> On 2/20/15 1:43 PM, Richard Barnes wrote:
>>
>>>
>>> On Fri, Feb 20, 2015 at 2:12 PM, Stephen Farrell
>>> <stephen.farrell@cs.tcd.ie <mailto:stephen.farrell@cs.tcd.ie>> wrote:
>>>
>>>
>>>          The sense of the UTA Working Group was to complete
>>>>         work on this document about best practices for TLS in
>>>>     general, and to
>>>>         initiate work on a separate document about opportunistic TLS.
>>>>
>>>
>>>     No, I don't believe we've decided that UTA will be the place where
>>>     we develop a BCP on OS. [...]
>>>
>>>     I'd really really hope we disentangle that discussion from this
>>>     draft though, so please replace the last sentence with:
>>>
>>>                   "The sense of the UTA Working Group was to complete
>>>     work on this document about best practices for TLS in general, and to
>>>     for work on a separate BCP document about opportunistic security
>>>     to be done later."
>>>
>>>
>>>
>>> FWIW:
>>> - That text is not mine; it has been in since -07.
>>> - I would personally be A-OK with UTA working on opportunistic TLS,
>>> especially in the sense of providing advice on how to interop with old
>>> stuff in ways most likely to result in TLS usage.
>>> - It's probably not a great idea to say that in this document
>>>
>>> How about:
>>> "The sense of the UTA Working Group was to complete work on this
>>> document about best practices for TLS in general, and to leave
>>> recommendations about opportunistic TLS for future work."
>>>
>>
>> Or we could drop mention of the WG entirely:
>>
>> "This document specifies best practices for TLS in general. A separate
>> document with recommendations for the use of TLS with opportunistic
>> security is to be completed in the future."
>>
>
> Sure.
>
> So (with some hopefully slight edits)...
>
> ###
>
> 5.2.  Opportunistic Security
>
>    There are several important scenarios in which the use of TLS is
>    optional, i.e., the client decides dynamically ("opportunistically")
>    whether to use TLS with a particular server or to connect in the
>    clear.  This practice, often called "opportunistic security", is
>    described at length in [RFC7435] and is often motivated by a desire
>    for backward compatibility with legacy deployments.
>
>    In these scenarios, some of the recommendations in this document
>    might be too strict, since adhering to them could cause fallback to
>    cleartext, a worse outcome than using TLS with an outdated protocol
>    version or cipher suite.
>
>    This document specifies best practices for TLS in general.  A
>    separate document containing recommendations for the use of TLS with
>    opportunistic security is to be completed in the future.
>
> ###
>
>
>