[Uta] TLS BCP Review
Aaron Zauner <azet@azet.org> Mon, 21 July 2014 21:54 UTC
Return-Path: <azet@azet.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A5C51A006D for <uta@ietfa.amsl.com>; Mon, 21 Jul 2014 14:54:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_15=0.6, J_CHICKENPOX_16=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5O3NtNDdm2XF for <uta@ietfa.amsl.com>; Mon, 21 Jul 2014 14:54:16 -0700 (PDT)
Received: from mail-wi0-f181.google.com (mail-wi0-f181.google.com [209.85.212.181]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35B201A006B for <uta@ietf.org>; Mon, 21 Jul 2014 14:54:16 -0700 (PDT)
Received: by mail-wi0-f181.google.com with SMTP id bs8so4843960wib.8 for <uta@ietf.org>; Mon, 21 Jul 2014 14:54:14 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:content-type; bh=xWjnfxDqZwBye7HenFeEvLNItYtzu8hRQG4Nw+YU9lw=; b=h8GWDohz71e8sWz2QFvMCrOwibt330fVkXXHFkxmf2KdiMBrV3ZW3c4/pW2cnOjMy6 KltG8JnEbwPWyrr7kwrz+2SoSzNdHuuV3P3ta14IaCIAJLyNeZuZXsb+nrRYAApf3M1N aFcbQb4/DFM0SZ44266YLx/BvFgnBV2wExF6XeFuge/zXQhwjs8YUqMjtDAY8Ot7g6eW zjx0QFExzqoI3LnYGCJ64rYHTor8YdY4isz1DEzlicN46VzocavQSGPMHSlqZATh2yB/ DbwtSgWXb1VF7Av5BvPgUvxdIbyr4eq8qgrfwSt0S14CHcVMyVce/ru7EgwJCej1x+DE nv9w==
X-Gm-Message-State: ALoCoQm62RI9X/cboyhVW1y2bWk95TL7o0PN+1SmoscTMlGjLvVAK8p0zgtIxwbsj4C/D59EmZv6
X-Received: by 10.195.12.97 with SMTP id ep1mr26286029wjd.26.1405979654691; Mon, 21 Jul 2014 14:54:14 -0700 (PDT)
Received: from [10.0.0.132] (chello080108032135.14.11.univie.teleweb.at. [80.108.32.135]) by mx.google.com with ESMTPSA id fs3sm46311738wic.20.2014.07.21.14.54.12 for <uta@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 21 Jul 2014 14:54:13 -0700 (PDT)
Message-ID: <53CD8C01.4050808@azet.org>
Date: Mon, 21 Jul 2014 23:54:09 +0200
From: Aaron Zauner <azet@azet.org>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: "uta@ietf.org" <uta@ietf.org>
X-Enigmail-Version: 1.2.3
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="------------enig9A4C44AAE8C09721211ACDE3"
Archived-At: http://mailarchive.ietf.org/arch/msg/uta/hNubdyyKQK1edlN4yG9-Ep84NAU
Subject: [Uta] TLS BCP Review
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jul 2014 21:54:17 -0000
Hi *, I'm in the process of reviewing the BCP currently and do have a couple of open questions and remarks before submitting a patch. Please excuse me if some of them have already been asked before on the mailing list, although I tried to go through most of the mails, I might have missed some. * the document on github seems to be out of sync with the document that is currently available on the IETF website. * I've found some typos, rhetorical flaws w.r.t phrasing throughout the document as well as missing information in reasoning parts. I would be willing to submit a patch and a related message explaining changes (if need be) to this list. is that acceptable? * the document effectively states in 1. that TLS 1.3 will obsolete this document. UTA should still give recommendations for legacy protocols that will be widely deployed on the internet. although faster than it used to be - TLS adoption is still very slow. * 3.1. states that SSLv2 has "serious security vulnerabilities" while this is true, it does not emphasize how broken SSLv2 actually is. how about changing the wording to "considered to be insecure"? * as for the deployment of "3%", mentioned in 3.2. - previous posters have pointed to the scans by j.vehent and sslpulse/qualys. there's also a monthly scan being conducted by h.kario of redhat [0]. * in 3.6 disabling compression is a SHOULD. with the issues currently raised by attacks this has to be a MUST in my opinion. and: * the document does not mention issues with compression in underlying applications when using TLS (e.g. BREACH for HTTP). * 4.2: once accepted (and everything looks this way) the draft by DKG will obsolete parts of this section [2]. * currently the document provides for no reasoning as to why no ECDSA ciphersuites have been included. while I agree that they should be excluded, one should include a sentence or two on the matter. I'm not an expert with DSA/DSS so I can just refer to [1] and the sources mentioned therein. * the document currently does not mention any views for standardization bodies and implementors on key pinning (TACK, HTKP). * the document currently does not mention any views for standardization bodies and implementors on certificate transparency. That's all for now, I'm pretty sure I'll come up with more. Thanks for your time, Aaron Sources: [0] - http://securitypitfalls.wordpress.com [1] - http://blog.cr.yp.to/20140323-ecdsa.html [2] - http://tools.ietf.org/html/draft-gillmor-tls-negotiated-dl-dhe
- [Uta] TLS BCP Review Aaron Zauner
- Re: [Uta] TLS BCP Review Orit Levin (LCA)
- Re: [Uta] TLS BCP Review Peter Saint-Andre
- Re: [Uta] TLS BCP Review Leif Johansson
- Re: [Uta] TLS BCP Review Aaron Zauner
- Re: [Uta] TLS BCP Review Leif Johansson
- Re: [Uta] TLS BCP Review Yaron Sheffer
- Re: [Uta] TLS BCP Review Bodo Moeller
- Re: [Uta] TLS BCP Review Leif Johansson
- Re: [Uta] TLS BCP Review Peter Gutmann
- Re: [Uta] TLS BCP Review Aaron Zauner
- Re: [Uta] TLS BCP Review Aaron Zauner
- Re: [Uta] TLS BCP Review Yaron Sheffer
- Re: [Uta] TLS BCP Review Aaron Zauner