Re: [Uta] Comments as draft-rsalz-uta-require-tls13
David Benjamin <davidben@chromium.org> Wed, 27 March 2024 17:46 UTC
Return-Path: <davidben@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9128FC14CEFA for <uta@ietfa.amsl.com>; Wed, 27 Mar 2024 10:46:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.257
X-Spam-Level:
X-Spam-Status: No, score=-9.257 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bjKBUsyHNq8F for <uta@ietfa.amsl.com>; Wed, 27 Mar 2024 10:46:16 -0700 (PDT)
Received: from mail-yb1-xb2b.google.com (mail-yb1-xb2b.google.com [IPv6:2607:f8b0:4864:20::b2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1BF0C14F684 for <uta@ietf.org>; Wed, 27 Mar 2024 10:46:16 -0700 (PDT)
Received: by mail-yb1-xb2b.google.com with SMTP id 3f1490d57ef6-ddaad2aeab1so39814276.3 for <uta@ietf.org>; Wed, 27 Mar 2024 10:46:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1711561576; x=1712166376; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=i2c15URjrtHGM0exyKp5HdQC7xULfn6RzGT6qbm4MAU=; b=CHWN6TMdzpFS5gx3799cVPbM4fXf68majwq3EpIEFmcdJIr4guy2oij+w3NQE4NttH SkRQqEXgBGWQnwNOZJNAb8KPdBplvwcOS2U0dYvv0GOya6sJW/pALWGFh/R485GSGp/6 hioGExy1ho/yyLQzfdyA4QV9mUEVI5Klxug9U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711561576; x=1712166376; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=i2c15URjrtHGM0exyKp5HdQC7xULfn6RzGT6qbm4MAU=; b=iGCZjVUeAdULbm9KTvV17RQLEcfIF+AEDquSU3+DlC4OSQSLxhroKNIrBdhR8AB0sH h9GHNzhWBBL4f+sNyUOfw//4JQXLP7XU9cjx/Hz0FquauW/soeRtKB18TDJ5SeCLKjYX WZKbQGOJb8D9zcG87kFN73DuYqBKYTibPx2CgFjiEwDlEqOYNuxcSHnkSR6knqypTxW4 HFspzpj5vFYeylURNw1z+1FC70+2WsjT63MVUJm58Nd/oK0VRuMWApS0/rUAXj5z6AJQ ftXUQupeWikS2DyrcSR0WEuUvURAJERiJY0FVP8/sT+jlo3Blb+xe4K/midMS7yKgyJN 0HTA==
X-Forwarded-Encrypted: i=1; AJvYcCWbSUC7cDQaygTnLSw/N20lmS230Jyez+J9nYrGZ5oSe/bMG38qa+itAtG5vb5DrH8llWNM8ReK1Ellzmg=
X-Gm-Message-State: AOJu0YyVCI+YIHJNGRE7YrNu7PjV0fLkVwfgbTEo74F486HAsfCfqA2+ IRYhBYoEL7x73bez9MqDqr1WNu80n/hZZmZ230PnW/OvH+gH9xt0KVzyqIvyrGfUcUUMMHW40KR 6xnlMYNY7HLCWWPpjlO9LIQY9yvZGURQ9IWeWMrGXhJfmHr1TLuM=
X-Google-Smtp-Source: AGHT+IEIGCGhPKMcbmAMQxfHY1F9+pJERt2PMczWeAwyftmuB5ctEQ55Jdwb5QxZsBlTMmJNKReMC37NqfY90Cfg7yE=
X-Received: by 2002:a5b:b0f:0:b0:dc2:41de:b744 with SMTP id z15-20020a5b0b0f000000b00dc241deb744mr543410ybp.32.1711561575674; Wed, 27 Mar 2024 10:46:15 -0700 (PDT)
MIME-Version: 1.0
References: <3E6241EB-24CB-4B42-9B7F-7AB32DCC290C@deployingradius.com> <6BD396CD-E223-4A90-8E84-D99C6EAB5F08@akamai.com>
In-Reply-To: <6BD396CD-E223-4A90-8E84-D99C6EAB5F08@akamai.com>
From: David Benjamin <davidben@chromium.org>
Date: Wed, 27 Mar 2024 13:45:56 -0400
Message-ID: <CAF8qwaASz7RGkjVJ9iPh6zvmWrW=ryoBM=zfCRXgk7MoFrey8w@mail.gmail.com>
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
Cc: Alan DeKok <aland@deployingradius.com>, "uta@ietf.org" <uta@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bb94980614a7fbca"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/p7qohfJMWx9nn_IXR-3z-2EXZvc>
Subject: Re: [Uta] Comments as draft-rsalz-uta-require-tls13
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2024 17:46:20 -0000
I think there are also multiple readings of "or higher" here. You could read it to mean "your protocol MUST require that implementations be configured to support all versions from TLS 1.3 and up". Or you could read it to mean "your protocol MUST pick a minimum TLS version of TLS 1.3, or some higher minimum version". I interpreted the discussion in the room to mean the latter. I notice the current text also talks about "default", but that seems confusing and/or meaningless. There is no such thing as a "default version" in TLS version negotiation. A protocol that uses TLS may have a default vs non-default application profile, but whether that means anything at all is application-dependent, and such profiles would specify a range of versions, not a single version. "MUST require TLS 1.3 or higher" and "MAY be compatible with TLS 1.2" are also contradictions. I took a stab below at revising based on what I think the current text was trying to capture, but it's pretty ambiguous as-is: > Any new protocol that uses TLS SHOULD specify that TLS 1.2 and below MUST NOT be negotiated. That is, the minimum TLS version should be TLS 1.3 (or a higher TLS version, when one becomes standardized). For example, QUIC [QUICTLS] requires TLS 1.3 and specifies that endpoints MUST terminate the connection if an older version is used. > > If deployment considerations are a concern, the protocol MAY permit TLS 1.2, but only as an additional, non-default application profile. The default application profile MUST forbid TLS 1.2 as above. As a counter example, the Usage Profile for DNS over TLS [DNSTLS] specifies TLS 1.2 as the default, while also allowing TLS 1.3. For newer specifications that choose to support TLS 1.2, those preferences are to be reversed. On Mon, Mar 25, 2024 at 8:29 PM Salz, Rich <rsalz= 40akamai.com@dmarc.ietf.org> wrote: > > Speaking as non-chair (and my first post to the list). > > Welcome. > > Yes, distinguishing between the standard (or protocol spec) and the > implementation is a (hopefully slight?) source of confusion within the > draft. > > > New standards MUST require TLS 1.3 or higher. > > The problem with the "or higher" construct, one Jonathan Hoyland strongly > favors, is that it doesn't get you what you want, or at least what he > wants. > > > These implementations SHOULD have a way to configure the minimum > allowable TLS version to use. If this setting is configurable, any default > example MUST use TLS 1.3. If the TLS versions are not set in any > configuration, then the implementation MUST use TLS 1.3 or higher. > > Except for "or higher" (see below) this seems nice. > > OpenSSL used to allow "holes" in the protocols, which you said is what > wpa_supplicant allows. I think it was in 1.1 that OpenSSL moved to a > min/max approach. That is better because the common meaning of omitting the > max version is "the highest one available." > > The problem with the "holes" approach is that it tends to be "explicitly > enable the versions you want" because at first glance that's more > flexible. But when a new version comes along, your configuration is now > outdated until you go edit to add the new version. If you use the > "explicitly disable the versions you want" it turns out that almost all the > time what you are disabling is a sequence of old versions. In which case, > setting the min version is simpler. It is hard to see a scenario, except > for bugs, where "1.1,1.3" are allowed and "1.2" is a reasonable > configuration to have. > > I think in all but special cases specifying just the minimum is fine. The > only reason I can think of for specifying the max version is that you have > regulatory/compliance issues to comply with. > > The problem with "or higher" is that it needs context and timelines to be > useful. Let us suppose that I sell a program, Foobar, that uses the system > TLS provider but it is a DLL/.so because I want my customers to be able to > install updates that their OS vendor provides. Now suppose the IETF > specifies TLS 1.4 at T0. OS Vendor A supports it at T2, vendor B at T3, and > FreeTLS provides it at T1. And of course the events could happen in a > different order (except the RFC always comes first :) > > Who becomes non-compliant with the "or higher" construct and at what > Tn+delta? And if you say "the highest version available" you're making it > even more intractable/worse. > > The current wording seems the least disruptive to me. Yes, in some number > of years we'll have to do an update that says TLS 1.4, but that's a lot > less work. > > Hope this helps. > > > _______________________________________________ > Uta mailing list > Uta@ietf.org > https://www.ietf.org/mailman/listinfo/uta >
- [Uta] Comments as draft-rsalz-uta-require-tls13 Alan DeKok
- Re: [Uta] Comments as draft-rsalz-uta-require-tls… Alan DeKok
- Re: [Uta] Comments as draft-rsalz-uta-require-tls… Salz, Rich
- Re: [Uta] Comments as draft-rsalz-uta-require-tls… Salz, Rich
- Re: [Uta] Comments as draft-rsalz-uta-require-tls… David Benjamin