[Uta] Roman Danyliw's Yes on draft-ietf-uta-rfc7525bis-09: (with COMMENT)
Roman Danyliw via Datatracker <noreply@ietf.org> Tue, 12 July 2022 20:57 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: uta@ietf.org
Delivered-To: uta@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A5E7AC15790C; Tue, 12 Jul 2022 13:57:21 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Roman Danyliw via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-uta-rfc7525bis@ietf.org, uta-chairs@ietf.org, uta@ietf.org, leifj@sunet.se, leifj@sunet.se
X-Test-IDTracker: no
X-IETF-IDTracker: 8.6.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Roman Danyliw <rdd@cert.org>
Message-ID: <165765944166.5604.15927139793895492702@ietfa.amsl.com>
Date: Tue, 12 Jul 2022 13:57:21 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/b264gfogToIvnEELGXBVACI4W-U>
Subject: [Uta] Roman Danyliw's Yes on draft-ietf-uta-rfc7525bis-09: (with COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2022 20:57:21 -0000
Roman Danyliw has entered the following ballot position for draft-ietf-uta-rfc7525bis-09: Yes When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-uta-rfc7525bis/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you to Ben Kaduk for the SECDIR review. ** Section 3.2 When TLS-only communication is available for a certain protocol, it MUST be used by implementations and MUST be configured by administrators. This guidance seems a little vague but prescriptive. Is the guidance that if there is a TLS-version or TLS support for a given protocol, that implementations of that protocol “MUST” support it? My confusion is around the wording that “it must be used by implementations.” ** Section 3.2 When a protocol only supports dynamic upgrade, implementations MUST provide a strict local policy (a policy that forbids use of plaintext in the absence of a negotiated TLS channel) and administrators MUST use this policy. Aren’t site administrators responsible for setting and enforcing local policy? Why would the software vendor (implementations) be provided the policy? ** Section 3.3.1 -- Given that the recommendations of this section include things beyond certificate compression, is the title of “Certificate Compression” appropriate? -- Would there be any additional techniques to list per Section 4 of RFC9191? ** Section 4.4 When a sender is approaching CL, the implementation SHOULD initiate a new handshake (or in TLS 1.3, a Key Update) to rotate the session key. When a receiver has reached IL, the implementation SHOULD close the connection. Should these normative SHOULDs be MUSTs? What is the circumstance where it would be prudent or necessary sender to use the existing key material after the CL has been exceeded? Same issue on the IL limit.
- [Uta] Roman Danyliw's Yes on draft-ietf-uta-rfc75… Roman Danyliw via Datatracker
- Re: [Uta] Roman Danyliw's Yes on draft-ietf-uta-r… Peter Saint-Andre