IETF Logo Mail Archive

[Uta] Robert Wilton's Discuss on draft-ietf-uta-rfc7525bis-09: (with DISCUSS and COMMENT)

Robert Wilton via Datatracker <noreply@ietf.org> Thu, 14 July 2022 09:37 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: uta@ietf.org
Delivered-To: uta@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 743C6C14F74C; Thu, 14 Jul 2022 02:37:24 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Robert Wilton via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-uta-rfc7525bis@ietf.org, uta-chairs@ietf.org, uta@ietf.org, leifj@sunet.se, leifj@sunet.se
X-Test-IDTracker: no
X-IETF-IDTracker: 8.6.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Robert Wilton <rwilton@cisco.com>
Message-ID: <165779144446.10023.16857085823147739769@ietfa.amsl.com>
Date: Thu, 14 Jul 2022 02:37:24 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/i-BX7Lo--veKCV-mrThcoE08tOI>
Subject: [Uta] Robert Wilton's Discuss on draft-ietf-uta-rfc7525bis-09: (with DISCUSS and COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jul 2022 09:37:24 -0000

Robert Wilton has entered the following ballot position for
draft-ietf-uta-rfc7525bis-09: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ 
for more information about how to handle DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-uta-rfc7525bis/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

Hi,

Thanks for this document, I think that it is a helpful update.  Disclaimer, I'm
not a security expert, but I would like to discuss some of the RFC 2119
constraints that have been specified please:

(1)
I find some of the 2119 language to be somewhat contradictory:

  *  Implementations MUST NOT negotiate TLS version 1.1 [RFC4346].

  *  Implementations MUST support TLS 1.2 [RFC5246] and MUST prefer to
     negotiate TLS version 1.2 over earlier versions of TLS.

The second sentence implies that a TLS 1.2 is allowed to negotiate earlier
versions of TLS, but a previous statement indicates that this is not allowed. 
A similar contradiction appears for DTLS:

   *  Implementations MUST NOT negotiate DTLS version 1.0 [RFC4347].

   *  Implementations MUST support DTLS 1.2 [RFC6347] and MUST prefer to
      negotiate DTLS version 1.2 over earlier versions of DTLS.

(2)
           *  New protocol designs that embed TLS mechanisms SHOULD use only TLS
              1.3 and SHOULD NOT use TLS 1.2; for instance, QUIC [RFC9001]) took
              this approach.  As a result, implementations of such newly-
              developed protocols SHOULD support TLS 1.3 only with no
              negotiation of earlier versions.

Why is this only a SHOULD and not a MUST?  If a new protocol (rather than an
updated version of an existing protocol) was being designed why would it be
reasonable to design it to support TLS 1.2?  If you want to keep these as
SHOULD rather than MUSTs then please can the document specify under what
circumstances it would be reasonable for a new protocol design to use TLS 1.2.

(3)
                                                           When TLS-only
      communication is available for a certain protocol, it MUST be used
      by implementations and MUST be configured by administrators.  When
      a protocol only supports dynamic upgrade, implementations MUST
      provide a strict local policy (a policy that forbids use of
      plaintext in the absence of a negotiated TLS channel) and
      administrators MUST use this policy.

The MUSTs feel too strong here, since there are surely deployments and streams
of data where encryption, whilst beneficial, isn't an absolute requirement?

In addition "MUST be used by implementations and MUST be configured by
administrators" also seem to conflict, i.e., if the implementation must use it
then why would an administrator have to enable it?

(4)
   When using RSA, servers MUST authenticate using certificates with at
   least a 2048-bit modulus for the public key.  In addition, the use of
   the SHA-256 hash algorithm is RECOMMENDED and SHA-1 or MD5 MUST NOT
   be used ([RFC9155], and see [CAB-Baseline] for more details).

So, for clarity, this would presumably mean that SHA-256 is also preferred over
say SHA-512?  Is that the intention?  Or would it be better if the SHOULD
allowed stronger ciphers?


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------



   This document does not discuss the use of TLS in constrained-node
   networks [RFC7228].  For recommendations regarding the profiling of
   TLS and DTLS for small devices with severe constraints on power,
   memory, and processing resources, the reader is referred to [RFC7925]
   and [I-D.ietf-uta-tls13-iot-profile].

Would it be better to write "does not specify" rather than "does not discuss",
which feels a bit colloquial?

Thanks,
Rob

v2.23.0 | Report a Bug | By Email