IETF Logo Mail Archive

Re: [Uta] Secdir telechat review of draft-ietf-uta-rfc7525bis-09

Peter Saint-Andre <stpeter@stpeter.im> Wed, 13 July 2022 18:28 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDBD3C157908; Wed, 13 Jul 2022 11:28:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=stpeter.im header.b=gxEWn8lJ; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=J7iycq/A
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id olBRamJmSGg5; Wed, 13 Jul 2022 11:28:00 -0700 (PDT)
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73D4DC157903; Wed, 13 Jul 2022 11:28:00 -0700 (PDT)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.west.internal (Postfix) with ESMTP id 6A5533200912; Wed, 13 Jul 2022 14:27:59 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Wed, 13 Jul 2022 14:28:00 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stpeter.im; h=cc :cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm1; t=1657736878; x= 1657823278; bh=6Gfas9FqZ4ifMIf3DSC4AEHTMpEIusAGII8lhhACf3A=; b=g xEWn8lJHAWj8Jc/rVRZ4jsEg+rIFf2qfCwZ7++kv28eGbtfcXLgPlLMbjRyodjfx jot9QBWHd/3pw9EV3m1u2bpo5ND3FcLx12GG+uM5sIhSgKNwoF2yXTZTE5Xk7XXp pMr7RzxStL1eFWj2VSvSmCLp6y7LFcl7Epz6FOoBV3YVKF0zLXzoOyBwdJMhfy40 i/zmE2MiUIoMR4HsVNJEEXl9WZNe+h7U9ZZuPeE8ayV/B/F5eSyQnNO0gdeqdxmI nwFAxRJOLVSoTVnmt57jKDtZTmPH9Sz6/GZSz+SqCmG09YZdDNsML6Yh0Y553Nck W1zT9yiiZNG2jJHWQTKTg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1657736878; x= 1657823278; bh=6Gfas9FqZ4ifMIf3DSC4AEHTMpEIusAGII8lhhACf3A=; b=J 7iycq/ANxOO0Op+55JCj0rJ57HfKFKnte0N7FgyEFsenx3qVaVjzR5m5sPVJARPI mcyDY0NipR9IXfACA/ccRsqdlM3NaVhwG5LpemQwwFcmg+WIM/aB2D6DHzoR7geW GZN88wftLt1jr6oLYzh4ohVfJNGHX20qY8qgJXV6zkaAk7651lHcTSyfrmvq08xU Ir15BBwPigRfgj+lsODAFpIv2O+83IaptYEN3FeD070kF6+qEEgBzksRMjoTazfC 6nzQIMe0HI4j7LSkNZmAXxkNUA4aiT6e21DEUACAcgcmF2KDVGi2ybFvJWIpI4jp u3wGDepWPaDwxGw9aTOBA==
X-ME-Sender: <xms:rg7PYpOOxSgK-M5mxMgWPVx8OWNaSVj-_JNCMoIL3KkMlIKDaQyZOQ> <xme:rg7PYr_irwt-kaCbJIaP2xa5rh41h16CEtwq4XjBje6aA79A2DBKmIP4HqpjOrUWP 29qboXljIYSDJv5sQ>
X-ME-Received: <xmr:rg7PYoR9D6Em2IA2JaAWyC3uLxaIV6uABZDsfGrAQbR02MzcDiKyD4lUUuAa>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrudejjedguddvgecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefkffggfgfvvehfhffujggtgfesthejredttdefjeenucfhrhhomheprfgv thgvrhcuufgrihhnthdqtehnughrvgcuoehsthhpvghtvghrsehsthhpvghtvghrrdhimh eqnecuggftrfgrthhtvghrnhepgfefgffhkeekvddvteevjefhkeelffeivdektdehtedv hfeihfetudelhfeivdevnecuffhomhgrihhnpehgihhthhhusgdrtghomhenucevlhhush htvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehsthhpvghtvghrsehs thhpvghtvghrrdhimh
X-ME-Proxy: <xmx:rg7PYlt18PCmVZ7Rviyp64796a8qnxaaBqF1fs5R3fxVw_nKYBsSNQ> <xmx:rg7PYhd--fWDop6lpJXjfBxf_DCcR6t3Zhy_jWKluLVOd5maEfZ--g> <xmx:rg7PYh32nZIWyJ-naE6hLdEd7L2nZF2TR3LAydDglM_RwqdfDAJFbg> <xmx:rg7PYo611JZU19hmV4JCxbwtEdFfePFPRHn4olM-TVM7hTt05XG-tA>
Feedback-ID: i24394279:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 13 Jul 2022 14:27:57 -0400 (EDT)
Message-ID: <b24e2934-200f-4f80-5261-aa2a977da39b@stpeter.im>
Date: Wed, 13 Jul 2022 12:27:57 -0600
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.11.0
Content-Language: en-US
To: Benjamin Kaduk <kaduk@mit.edu>, secdir@ietf.org
Cc: draft-ietf-uta-rfc7525bis.all@ietf.org, last-call@ietf.org, uta@ietf.org
References: <165766858084.5251.12485129434316295805@ietfa.amsl.com>
From: Peter Saint-Andre <stpeter@stpeter.im>
In-Reply-To: <165766858084.5251.12485129434316295805@ietfa.amsl.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/guuEhJBaBuLjI5S_PZzk5u7FVl0>
Subject: Re: [Uta] Secdir telechat review of draft-ietf-uta-rfc7525bis-09
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2022 18:28:04 -0000

On 7/12/22 5:29 PM, Benjamin Kaduk via Datatracker wrote:
> Reviewer: Benjamin Kaduk
> Review result: Ready
> 
> I looked over the updates from -07 to -09, and they all look good.
> I recognize that not all of my previous comments resulted in any text
> changes, and appreciate that they were given consideration and the
> conscious choice made to not act.  I'd also like to thank the editors
> for their efforts to proactively tag me in the github discussion that my
> earlier review triggered, and I apologize for not keeping up with that
> traffic as it came in.
> 
> I do have one comment on the new text:
> 
> Section 3.9
> 
> Thanks for adding the section on mulit-server deployment, that's a great
> addition!  In the (first) "multiple services" case, we might also want
> to mention that the protection of credentials (certificate private keys)
> is a shared attack surface across services, so when we say "provide
> equivalent levels of security" we might clarify that we consider both
> the TLS configuration and the protections against server compromise as
> being relevant. 

Good catch:

https://github.com/yaronf/I-D/issues/435

I like your suggestion of "equivalent levels of security (including both 
the TLS configuration and the protections against server compromise)"

> I'll also repeat one comment from my earlier review to make it more visible
> to the ADs.  I acknowledge that the authors already responded to it and
> that the same reply continues to apply; I do not expect that repeating my
> statement will be any more convincing than it was the first time.
> 
> Section 3.1.1
> 
>     *  Implementations MUST support TLS 1.2 [RFC5246] and MUST prefer to
>        negotiate TLS version 1.2 over earlier versions of TLS.
>        [...]
>     *  Implementations SHOULD support TLS 1.3 [RFC8446] and, if
>        implemented, MUST prefer to negotiate TLS 1.3 over earlier
>        versions of TLS.
> 
> It's very disappointing to me to see that we label a TLS 1.3-only
> implementation as non-compliant with the BCP for TLS usage; such an
> implementation is more secure than a joint 1.2+1.3 implementation.
> That said, I assume that the WG discussed this topic extensively and
> it seems somewhat unlikely that I have any new contributions to that
> discussion.

Even the authors are sometimes disappointed by what ends up in a BCP - I 
know I felt that way about both RFC 6125 (wildcard certs!) and RFC 7525.

Personally I would be comfortable with changing TLS 1.3 from SHOULD 
support to MUST support, but we'd need to see what the WG thinks.

Peter

v2.23.0 | Report a Bug | By Email