Re: [Uta] Adoption call for draft-sheffer-uta-rfc7525bis-00
Keith Moore <moore@network-heretics.com> Fri, 01 May 2020 20:10 UTC
Return-Path: <moore@network-heretics.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3C083A1BDB for <uta@ietfa.amsl.com>; Fri, 1 May 2020 13:10:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UVV5wzmoMb0k for <uta@ietfa.amsl.com>; Fri, 1 May 2020 13:10:46 -0700 (PDT)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85AA63A1BDC for <uta@ietf.org>; Fri, 1 May 2020 13:10:46 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 971605C0430; Fri, 1 May 2020 16:10:45 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Fri, 01 May 2020 16:10:45 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=ZqumZ0Hc4x7GF/8jSwql4xp0jbacnqS/IFWYbFkZ/ 0Y=; b=PoduOL2bg9XSkdXwf3iYP96YphCXXuwXEhFnkFTdqQRff5tQnKP3/1qtn AJoQ/yv4380uDVJHi5oNNqiQdgKrxWKerEcec/HEPLuPpQXJhLb71kWeNkUdmVp2 qG96e4yvCW2eutItRqr7357uF3snLnEqLEbl1h86H4o3zLSyQBN2GMrB1mlpqDek 2Ggerj/nTP7wmlQVR8rGRW3FIfaReAqxVlrn6ozxWmHDyECLcMXa6B5RL4w/2kXJ P4Tds7LTwqsrqkIPbR7et4fCU5oMXmUO5sPzgIr5Kmw+MNEPmU2tXpvbKDdTt695 udCZjqmK7XDd6Mv9oOu15P6Bu+gUQ==
X-ME-Sender: <xms:RYKsXnZ4KeTXMf7fwiGo7HVba0a-P_QZ3UsdKD1qenxxIv9P5viZ-g>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrieejgddugeegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepuffvfhfhkffffgggjggtgfesthekredttdefjeenucfhrhhomhepmfgvihht hhcuofhoohhrvgcuoehmohhorhgvsehnvghtfihorhhkqdhhvghrvghtihgtshdrtghomh eqnecuggftrfgrthhtvghrnhephefhuedtheefgfefgffhkeehgfeugfeiudeugeejkeef leelueeiffetfeeuudeunecukfhppedutdekrddvvddurddukedtrdduheenucevlhhush htvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmohhorhgvsehnvght fihorhhkqdhhvghrvghtihgtshdrtghomh
X-ME-Proxy: <xmx:RYKsXrVE7BAZUB4BqKUe_jwJTTtRoxqTlVfX5RWooqvJ7gtOW60ItQ> <xmx:RYKsXksiKcy_DNA5zfX9zHig5YlHxWKon0m01AhtcP0LTkoU6R79tw> <xmx:RYKsXoXBvDPjpnvPSR4r1pHg-C8mW3ndnKNY6OOurO1hL3GIF6AWGg> <xmx:RYKsXuqrn8pkpT2G5DugkBMUpknBOER_SseQel-q-k9DcIHcAoOl9g>
Received: from [192.168.1.97] (108-221-180-15.lightspeed.knvltn.sbcglobal.net [108.221.180.15]) by mail.messagingengine.com (Postfix) with ESMTPA id B848B3280064; Fri, 1 May 2020 16:10:44 -0400 (EDT)
To: Ned Freed <ned.freed@mrochek.com>
Cc: uta@ietf.org
References: <004801d61bae$08a61590$19f240b0$@smyslov.net> <dfe39508-b37a-f008-91d3-cb36bcb84ae1@network-heretics.com> <01RKCREHVO3I0055BV@mauve.mrochek.com>
From: Keith Moore <moore@network-heretics.com>
Message-ID: <d14e5d8f-2a69-a72b-57c9-42a77f36ef8f@network-heretics.com>
Date: Fri, 01 May 2020 16:10:43 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <01RKCREHVO3I0055BV@mauve.mrochek.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/mpJlFCgqnJyWaPKcySf21gq4P5g>
Subject: Re: [Uta] Adoption call for draft-sheffer-uta-rfc7525bis-00
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 May 2020 20:10:51 -0000
On 5/1/20 12:27 PM, Ned Freed wrote: >> IMO RFC7525 and this new draft both suffer from dubious assumptions and >> make poor recommendations because of those assumptions. In particular, >> there are many cases for which using an old version of TLS is suboptimal >> and it shouldn't be considered as secure, but it may still be better >> than deprecating old versions of TLS that might be the only ones >> supported by the peer. > > Whether or not to ban SSL v2 and v3 is a tough call, but not for the > reasons > given in RFC 7525. Yes, these are weak mechanisms, but in the absence > of other > considerations weak is better than no security at all. > > However, because of the way the negotations work supporting all of > these stuff > simultaneously has proven to be difficult to get right. The fact that > these old > versions can cause interop failures with later versions is arguably > sufficient > cause for a MUST NOT. If we can enumerate those specific cases, and explain why they're MUST NOTs, that seems like it would be a Good Thing. >> People do not always have the luxury of upgrading their clients and >> servers to versions that support the recent TLS. Some legacy hardware >> has firmware that cannot be upgraded because no upgrades are >> available. Service providers do not always have the leverage to insist >> that their customers upgrade, or the luxury of abandoning customers. >> etc. > > Shorter version: Once again the IETF is letting the best be the enemy > of the > good. I have often observed tendencies in thinking about security that seem to result in poor choices. One is to assume that every application acts like the web, for example: A human interacting with a UI on the client side, who is in the loop, and who can react to security negotiation failures and make informed decisions. Another is to treat "secure" as a binary value, without even considering that different users quite reasonably have different threat models. (Anytime someone whom I don't have calibrated claims something is "secure", a red flag goes up. At that point I generally ask them to tell me what threats they have identified and what they've done to address them. Then I'll have a better idea of what they mean. A few people can answer such questions, but most go into infinite page fault, or worse, just start trying to pile on more BS. And then I know to treat the system as insecure.) >> So in summary, either I don't support adoption of this draft, or I >> support adoption of this draft only to the extent that it can be >> significantly changed. > > AFAICT the draft hasn't been updated beyond what RFC 7525 says, so I'm > going to wait and see what those updates say before I decide if I can > support the change. Yeah, I'm not entirely clear on the right way to go about this: is it to adopt the document with the understanding that significant changes are expected, or is it better to start with a new draft? Keith
- [Uta] Adoption call for draft-sheffer-uta-rfc7525… Valery Smyslov
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Stephen Farrell
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… John R. Levine
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… tom petch
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Alexey Melnikov
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Ralph Holz
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Alexey Melnikov
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Peter Saint-Andre
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Alexey Melnikov
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… John Levine
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… tom petch
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Ralph Holz
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Sean Turner
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Keith Moore
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… ned+uta
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Keith Moore
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Peter Saint-Andre
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Eric Rescorla
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Eric Rescorla
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Keith Moore
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Jeremy Harris
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Eric Rescorla
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Eric Rescorla
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Keith Moore
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Eric Rescorla
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… John Levine
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Peter Gutmann
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Eric Rescorla
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Keith Moore
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Peter Gutmann
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… tom petch
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Eric Rescorla
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Valery Smyslov
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Eric Rescorla
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… John Levine
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Jim Fenton
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Keith Moore
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Peter Saint-Andre
- Re: [Uta] Adoption call for draft-sheffer-uta-rfc… Valery Smyslov