IETF Logo Mail Archive

Re: [Uta] Adoption call for draft-sheffer-uta-rfc7525bis-00

Eric Rescorla <ekr@rtfm.com> Sun, 03 May 2020 19:15 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED00E3A1170 for <uta@ietfa.amsl.com>; Sun, 3 May 2020 12:15:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wXxgZ_kph7K3 for <uta@ietfa.amsl.com>; Sun, 3 May 2020 12:15:24 -0700 (PDT)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29B073A116F for <uta@ietf.org>; Sun, 3 May 2020 12:15:24 -0700 (PDT)
Received: by mail-lj1-x22a.google.com with SMTP id g4so7602937ljl.2 for <uta@ietf.org>; Sun, 03 May 2020 12:15:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=85llCGHE7smvwG8NkaRjNCe1cN4bZjlQTkb6UyMt6uQ=; b=l5yseWtd4hE7nrB5DPJsHauevXYoVsZ3Ker9Zi8CdKb3jj8eAOAKXfVZkdDnAyVeTS OJx7nqnJiJach/avG7D87qhVFahfVlCMygFDogIqOj0FZalpmrqE4YKc3+w7G0t+f/2c mL7JgajJe/QbO7WuorEEpkngiH66Li42pTOQCmfxB9jPd5P//GObT2+kOXA7LM20SPxu Krgqe2KHhf2mhbYlEIiZcbzY4LbHWQdBfajEAxDB7KdBsdEkYaVK3BDcA7jgglspYwIy OvI0GRXnkslGMR/MgNmoNSAwo5BYUXNQ/J4QoYjE7aDiIXjJ3RboJa5M6WEUHhWyug5i 9beA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=85llCGHE7smvwG8NkaRjNCe1cN4bZjlQTkb6UyMt6uQ=; b=eUKk0koXkyHGRGR3/Vq7N5zXWmVlu0JlMQ/NuSwFEGmcLK/H+Rg8lTO3rnQTIZSA9O YmfpgzDAGeZgsqWZqU24lvdSPV1W8XUUEt5FwHkVWObj8OpRsTsElzJ+p5asOETI1BTQ CYYuBw8X1imDkS3E4GmyWw2Tdw+lnvT7cvTm6ol3dWN2a1PTnuqbiI2bSB5WwEmBcLKO FdXJgKux8mAsc/YSwDa+R1bWPgzAKrQx7oa6oYrfUbqd4f2gNSNY/GUt809hLLFZl3gs q9QsqKx0SK23xByaG1Vx16FxNM1A+ZijGwXU3yPPpPDa4tH+79Sko8GUDipG7rWOwh4k wJMg==
X-Gm-Message-State: AGi0PubXTwIFdiQxXbQonZlBiWJGHDmDxh25Dt2UmnHvHuh3VWTuqlzA iCdvAOFLePficcL+x4MxiiKnj3+fuYZ7JoCcNb3TeQ==
X-Google-Smtp-Source: APiQypJgaQQdCISELjm1bWbMMSGIxWUsinciufYLGrFQYCF6iCMUbaU8VnShrDUpAZBKUQjr+IZ/zGZaT947PnHYCTU=
X-Received: by 2002:a2e:2414:: with SMTP id k20mr8214212ljk.162.1588533322282; Sun, 03 May 2020 12:15:22 -0700 (PDT)
MIME-Version: 1.0
References: <004801d61bae$08a61590$19f240b0$@smyslov.net> <dfe39508-b37a-f008-91d3-cb36bcb84ae1@network-heretics.com> <CABcZeBP0_Jq1v9j5pDL4Ne_+5CyXuimJq90MLGzNME9zoHh2bw@mail.gmail.com> <1588483587138.67307@cs.auckland.ac.nz>
In-Reply-To: <1588483587138.67307@cs.auckland.ac.nz>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 03 May 2020 12:14:45 -0700
Message-ID: <CABcZeBMne-vyoToMdgbxQZTY2kwT5fdbDDs4i-mhUnmXgtDqLw@mail.gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: Keith Moore <moore@network-heretics.com>, "uta@ietf.org" <uta@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006387e405a4c33c10"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/sXyDsKooOsAFrU68rAq7b0vR26A>
Subject: Re: [Uta] Adoption call for draft-sheffer-uta-rfc7525bis-00
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 May 2020 19:15:26 -0000

On Sat, May 2, 2020 at 10:26 PM Peter Gutmann <pgut001@cs.auckland.ac.nz>
wrote:

> Eric Rescorla <ekr@rtfm.com> writes:
>
> >if you are running a piece of hardware that cannot upgrade its TLS stack
> at
> >all, you quite likely have a number of serious unpatched vulnerabilities,
> and
> >should reconsider whether it is safe to have that hardware attached to the
> >Internet.
>
> Embedded non-upgradeable SCADA devices have some of the most secure TLS
> implementations I've ever seen:
>
>   Some of the most difficult-to-attack TLS implementations that I've seen
> are
>   in embedded devices that don't have the memory to run a full TLS
>   implementation or to parse certificates.
>

I don't have much experience with SCADA TLS stacks, so I can't speak to
this, but I wasn't thinking primarily of the TLS stack itself but just of
the overall software on the device. In general, most software has some
defects and some of them will be security relevant; If you are unable to
upgrade the software on your devices, then if such vulnerabilities are
discovered you are obviously in a bad position.

-Ekr

v2.23.0 | Report a Bug | By Email