Re: [Uta] Richard Barnes' Discuss on draft-ietf-uta-tls-bcp-09: (with DISCUSS and COMMENT)

Richard Barnes <rlb@ipv.sx> Thu, 19 February 2015 06:28 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7C161A1A06 for <uta@ietfa.amsl.com>; Wed, 18 Feb 2015 22:28:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id faA4cdSOhd56 for <uta@ietfa.amsl.com>; Wed, 18 Feb 2015 22:28:02 -0800 (PST)
Received: from mail-lb0-f178.google.com (mail-lb0-f178.google.com [209.85.217.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 608A31A1A0C for <uta@ietf.org>; Wed, 18 Feb 2015 22:28:02 -0800 (PST)
Received: by lbdu10 with SMTP id u10so5605187lbd.7 for <uta@ietf.org>; Wed, 18 Feb 2015 22:28:00 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=8La7qr+gOfkNaaC8gVgo3n/8bULIbwSRN8vMLjZDQb8=; b=JYivM0UUpBHlJAwV6OMXrZZJxrpeSpe9Jdm7zYqlW6ANiAmDJS7U6kURs7pCG9aDmr 9xl9tas6EmBhK6V/eKUPgln2RKRoJRWQClYLTqdz8LdQpE8lJyMCPpzoIK/DF/RYG0Cw boWf3BXC9+cpDvyCoBia38B6DfoXElu4dVQh0reusJ/AEj1Drx5Shu89fvh60ID1KRib GFRq0A3g+vT3uT1ibCUarJH4LK0nkINBDzN8tBDyI2fwpigNkk4XpmBlitseYzUV291Q eqt7x064STf+QZBBFZKIETZRSXXISxcD3mhz9hszV7AF4Oewq7lj5rktsp50xp2rPMiY TYfg==
X-Gm-Message-State: ALoCoQmcjEarObYiw1HhD0C+KKTRV+/7kEPiAbxNN60WuHXFckw9wydiISRAUfF5wy3U9H4q+Mp1
MIME-Version: 1.0
X-Received: by 10.152.4.233 with SMTP id n9mr2453111lan.61.1424327280603; Wed, 18 Feb 2015 22:28:00 -0800 (PST)
Received: by 10.25.135.4 with HTTP; Wed, 18 Feb 2015 22:28:00 -0800 (PST)
In-Reply-To: <CAFewVt63L4NV+88Z6hWcM7rhMK8jK7V8vwW4x_uwbAkKsevKcw@mail.gmail.com>
References: <20150219033433.10815.25308.idtracker@ietfa.amsl.com> <54E56454.7080307@andyet.net> <54E5663E.6070306@qti.qualcomm.com> <CAL02cgSGYozbspQhccYqA2BU4gphitfFZVynETYjT=PzaW3H5w@mail.gmail.com> <CAFewVt63L4NV+88Z6hWcM7rhMK8jK7V8vwW4x_uwbAkKsevKcw@mail.gmail.com>
Date: Thu, 19 Feb 2015 01:28:00 -0500
Message-ID: <CAL02cgS7D2P0pJPF-h6V6QGEmnbkWPHkEGCpZ+WZjaJCqZ0DKg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Brian Smith <brian@briansmith.org>
Content-Type: multipart/alternative; boundary="089e013d11989acab1050f6b099e"
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/iBufg4dh-hYNfp4remt9-Qel0oo>
Cc: "uta@ietf.org" <uta@ietf.org>, Pete Resnick <presnick@qti.qualcomm.com>, The IESG <iesg@ietf.org>, Peter Saint-Andre - &yet <peter@andyet.net>
Subject: Re: [Uta] Richard Barnes' Discuss on draft-ietf-uta-tls-bcp-09: (with DISCUSS and COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Feb 2015 06:28:08 -0000

On Thu, Feb 19, 2015 at 1:26 AM, Brian Smith <brian@briansmith.org> wrote:

> Richard Barnes <rlb@ipv.sx> wrote:
> > Pete Resnick <presnick@qti.qualcomm.com> wrote:
> >> Until we are able to get better community consensus on this topic and
> how
> >> to explain it in documents, I think (and I believe the WG agrees) that
> the
> >> right thing to say is, "This document isn't talking about OS" and leave
> it
> >> at that, which is what the document now says.
> >
> > It's wrong to just throw up our hands and give carte blanche just
> because we
> > might need to red-line a few things.  At most, we should say something
> like,
> > "OS is a work in progress; until further notice, use this as a baseline
> and
> > deviate to the minimal extent possible."
>
> The working group agreed that unauthenticated TLS is out of scope for
> the document. Saying anything other than unauthenticated TLS is out of
> scope would misrepresent the working group's consensus.As others
> pointed out, if and how much of this document is appropriate for
> unauthenticated TLS is very unclear and deciding that would add a lot
> of delay to the publication of the document.
>
> The working group already decided to defer much more serious and more
> widely-relevant issues (like the complete lack of any recommendations
> regarding ECDSA cipher suites, despite these being the most
> interoperable AES-GCM cipher suites available and the best ones for
> server-side performance, or the fact that the document recommends DHE
> cipher suites despite clear evidence that DHE cipher suites are a
> minefield) in the interests of getting the document published on a
> reasonable schedule.
>
> IMO, unauthenticated TLS is so different from secure use of TLS that
> it deserves its own document once we've learned what the *best*
> *current* practices for unauthenticated TLS are, which we currently do
> not know.
>

I'm curious how you think unauthenticated TLS is so dramatically
different.  I mean, WebRTC connections are all unauthenticated, and they
look exactly the same on the wire as authenticated connections -- the
endpoints just don't check the certs.

--Richard



>
> Cheers,
> Brian
>