IETF Logo Mail Archive

Re: [Uta] Adoption call for draft-sheffer-uta-rfc7525bis-00

Ralph Holz <ralph.holz@gmail.com> Tue, 28 April 2020 08:58 UTC

Return-Path: <ralph.holz@gmail.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3F9C3A1120; Tue, 28 Apr 2020 01:58:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zATzd1WOaVbB; Tue, 28 Apr 2020 01:58:21 -0700 (PDT)
Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 321413A111F; Tue, 28 Apr 2020 01:58:21 -0700 (PDT)
Received: by mail-ej1-x62a.google.com with SMTP id gr25so16596978ejb.10; Tue, 28 Apr 2020 01:58:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fuMCO5Esq8rEbrCLsSxO99xuzOwzgAjly3QNLJ5fqcg=; b=SVth/UtrJRHig6UfRcWINvbVqtkCqk4Gps99XNDBD/lCAGn8ySo5TI0zNLO1MbQaLI 94llt4aVUhO01XLf0yc3R08EAD7pfnKDG1lGve7Q2lWpS7Aalq3Z0q4f2WLmGLb4sI3c QRDoLNfEUBMhcSz/3i77481yMZb3gL4CaBW10/X1xF7+VLFLYvC9bcuBzhGKspLP1+Q6 H+Ovic4WMsLSGFaV+vNVQqvnhPKDQ9TByqER6HIuXidTTprr0kqBcVs0Uf/KX6peVPeR 6YG3J21MNjnmsucrMomCNysrinHd85Iqw21HmHKEHieCyWavZtkocxI/CioXVZOWuVlY xXVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fuMCO5Esq8rEbrCLsSxO99xuzOwzgAjly3QNLJ5fqcg=; b=BpOzcW/pKf9Ph5leaVZ9EfPIvlc+7gWXf2XYKBEI5hy5dk8jH0uu7MgK8bG44IspHr 12y4dFC9xeY+Y1jsbbop/G+jAveHB3wvhAH2iqD09A5CWr9QdUIO1b889hY82gAN1YFC P0HAFj+svF/flhFjsB/+1PBVF04UfZhHfE3EZ6hle35VsPPsDEyecEgFOiA3pSDgak9g zwWw1goH7zxPI64sq8016ORrctrg9e8mJFLvsgEKKXvk9bb3bUiWHARQOCbejqKsRo+c +bw8LQO/XdcHqnj2/GCY39QGEtemtlqVwPRcBRVYX7ee+ApfvtMmm4CS+6GV+I58cEYH TBAg==
X-Gm-Message-State: AGi0PuZZ5nS/k0slLMDEYYWr0BfyrzofRd2ccKCo4J6wXeP6uZQ4zOuZ FgkpcbQidmEL3uovckrjmZEXwky8IFnwtDKwuTA=
X-Google-Smtp-Source: APiQypIxROKuHou8frN87n/JC8eKkFF0HLzAORSk2wvD0nQI9b8TT3xVXWrpvvYuaBFTZEG53DQf71aFWOE5m6pvIsw=
X-Received: by 2002:a17:906:bb07:: with SMTP id jz7mr22766505ejb.317.1588064299552; Tue, 28 Apr 2020 01:58:19 -0700 (PDT)
MIME-Version: 1.0
References: <004801d61bae$08a61590$19f240b0$@smyslov.net> <1UW7qWO4vA.17rUXhBMkf8@pc8xp> <CAEKAoHTJ4S5Wfkb4KB+ZWQN7JO_Q-DXDcEz5pqd7MPMhyj_CDQ@mail.gmail.com> <1UW7rcJSVn.1ewl1Eq5e3S@pc8xp>
In-Reply-To: <1UW7rcJSVn.1ewl1Eq5e3S@pc8xp>
From: Ralph Holz <ralph.holz@gmail.com>
Date: Tue, 28 Apr 2020 18:58:08 +1000
Message-ID: <CAEKAoHS8anGkojfjww80Bh4UKDw-6bYA20zbgEg2-rJSMJvqcA@mail.gmail.com>
To: tom petch <daedulus@btconnect.com>
Cc: Valery Smyslov <valery@smyslov.net>, "uta@ietf.org" <uta@ietf.org>, "uta-chairs@ietf.org" <uta-chairs@ietf.org>, Peter Saint-Andre <stpeter@mozilla.com>
Content-Type: multipart/alternative; boundary="0000000000007492e805a45608aa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/bNewsGC5NFIViTxRibPGvb9kYGg>
Subject: Re: [Uta] Adoption call for draft-sheffer-uta-rfc7525bis-00
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2020 08:58:23 -0000

Hi,

>
> I expect that you are familiar with
> draft-camwinget-tls-ns-impact
> which looks at operational security with TLS 1.2 and identifies what is
> difficult or impossible to do with TLS 1.3. One might infer from this I-D
> that TLS 1.3 offers less security than TLS 1.2:-)

One requirement that was raised in the later stages of the work on TLS 1.3
> related to audit, and was raised, I think, by representatives of the
> finance industry; the WG rejected the requirement.  Since then, I have seen
> suggestions on the TLS and other


I am familiar with the discussion and the 3-4 issues stated in that I-D,
yes. An alternative to TLS 1.3 has indeed been proposed by the finance
industry that partially solves it:
https://www.etsi.org/deliver/etsi_ts/103500_103599/10352303/01.01.01_60/ts_10352303v010101p.pdf
<https://trello.com/c/HctoUsA5/11-etls-final-standard-https-wwwetsiorg-deliver-etsits-103500103599-10352303-01010160-ts10352303v010101ppdf>


> lists, and in the press, about the development of alternative protocols to
> meet the requirements that TLS 1.3 does not.  Hence my reference to
> fragmentation.  (I think the I-D covers that under offline analysis).
> Although the I-D focusses on Operational Security, I think that much of
> what it says is applicable more generally.
>

Any fragmentation remains speculative, so far. I would in fact not be
surprised if eTLS remains completely unused outside mobile phone banking
apps and inter-bank communication. I definitely do not expect it in user
traffic as the browser makers have been clear they won't support anything
that does static RSA and/or static DH.

If anything at all, though, that would be an argument in favour of a BCP -
note that this BCP is not TLS 1.3-specific. It still covers TLS 1.2. (And
even there, there is a need for crypto updates!)


> The I-D that we are being asked to adopt lacks any detail about what the
> bis might change i.e. we are being asked to approve a blank slate which
> might end up saying how great TLS 1.3 is and how we should move to it as
> soon as possible; to which the I-D I mention offers an alternative
> viewpoint.
>

I would not preempt discussions in such a way. Last time, they were
extremely productive, with folks making sure that all sorts of interop
issues were addressed.

Ralph

v2.23.0 | Report a Bug | By Email