IETF Logo Mail Archive

Re: [Uta] Proposed list of deliverables

"Orit Levin (LCA)" <oritl@microsoft.com> Mon, 20 January 2014 21:35 UTC

Return-Path: <oritl@microsoft.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 806B61A00A3 for <uta@ietfa.amsl.com>; Mon, 20 Jan 2014 13:35:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hi2oNrPAX9i9 for <uta@ietfa.amsl.com>; Mon, 20 Jan 2014 13:35:10 -0800 (PST)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0236.outbound.protection.outlook.com [207.46.163.236]) by ietfa.amsl.com (Postfix) with ESMTP id D2E721A0137 for <uta@ietf.org>; Mon, 20 Jan 2014 13:35:09 -0800 (PST)
Received: from BL2PR03MB290.namprd03.prod.outlook.com (10.141.68.19) by BL2PR03MB292.namprd03.prod.outlook.com (10.141.68.28) with Microsoft SMTP Server (TLS) id 15.0.851.11; Mon, 20 Jan 2014 21:35:09 +0000
Received: from BL2PR03MB290.namprd03.prod.outlook.com ([10.141.68.19]) by BL2PR03MB290.namprd03.prod.outlook.com ([10.141.68.19]) with mapi id 15.00.0859.013; Mon, 20 Jan 2014 21:35:09 +0000
From: "Orit Levin (LCA)" <oritl@microsoft.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>, "uta@ietf.org" <uta@ietf.org>
Thread-Topic: [Uta] Proposed list of deliverables
Thread-Index: Ac8UDfYmUjL7spWFRWi+szgpg2cFIgB0VUEAAA9KmVA=
Date: Mon, 20 Jan 2014 21:35:08 +0000
Message-ID: <df9dd1bd760443c69c0e63b6976e8767@BL2PR03MB290.namprd03.prod.outlook.com>
References: <0bc674da169f4772b0fb2173ed679115@BY2PR03MB300.namprd03.prod.outlook.com> <CDB929C3-6DF1-4EFD-9E70-647F070196DD@vpnc.org>
In-Reply-To: <CDB929C3-6DF1-4EFD-9E70-647F070196DD@vpnc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e0:ee43::2]
x-forefront-prvs: 00979FCB3A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(6009001)(164054003)(189002)(199002)(51704005)(13464003)(24454002)(377454003)(92566001)(50986001)(74706001)(47976001)(53806001)(93136001)(74316001)(54356001)(4396001)(47736001)(74366001)(85852003)(49866001)(76482001)(33646001)(69226001)(46102001)(51856001)(19580405001)(85306002)(83322001)(47446002)(90146001)(80976001)(74502001)(81342001)(31966008)(76576001)(74662001)(76786001)(15975445006)(76796001)(19580395003)(65816001)(74876001)(83072002)(63696002)(81542001)(56816005)(80022001)(87266001)(56776001)(59766001)(93516002)(81686001)(2656002)(54316002)(81816001)(77982001)(86362001)(87936001)(79102001)(3826001)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:BL2PR03MB292; H:BL2PR03MB290.namprd03.prod.outlook.com; CLIP:2001:4898:80e0:ee43::2; FPR:; RD:InfoNoRecords; MX:1; A:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Subject: Re: [Uta] Proposed list of deliverables
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jan 2014 21:35:12 -0000

Thanks, Paul!
See inline. \Orit.

> -----Original Message-----
> From: Uta [mailto:uta-bounces@ietf.org] On Behalf Of Paul Hoffman
> Sent: Monday, January 20, 2014 4:58 AM
> To: uta@ietf.org
> Subject: Re: [Uta] Proposed list of deliverables
> 
> On Jan 18, 2014, at 1:24 AM, Orit Levin (LCA) <oritl@microsoft.com> wrote:
> 
> > Below is the list of deliverables for your consideration:
> >
> > 1. A threat analysis document containing a collection of known security
> breaches to application protocols due to poor use of TLS (Likely an
> Informational RFC)
> 
> Is this meant to also cover application protocols with *no* use of TLS? That is, is
> the threat analysis supposed to cover "why you should encrypt", or just "why
> you should encrypt well when you encrypt"?
> 

I envision this document to be as specific to TLS usage as possible (or the lack of it when TLS should have been a natural choice).

I could imagine the document to be organization by specific and/or publicly documented security breaches, each followed by a "threat analysis" targeted to application protocol designers and application users, who are not necessarily crypto professionals or security experts. The analysis should point to more "deep dive" security and other UTA documents when appropriate. Of course, at this stage this is a suggestion for feedback.

> > 2. Applications' independent document recommending best existing and future
> practices for using TLS (Likely a BCP or a Proposed Standard RFC)
> 
> Good.
> 
> > 3. A set of documents, each describing best existing and future practices for
> using TLS with a specific application protocol, i.e., SMTP, POP, IMAP, XMPP,
> HTTP 1.1, etc. (Case-by-case likely a BCP or a Proposed Standard RFC)
> 
> This needs to be defined more. The phase "using TLS" can mean one or more of:
> - TLS with server authentication, with encryption
> - TLS with server authentication, without encryption
> - TLS without server authentication, with encryption
> - TLS with server authentication, with client authentication, with encryption
> - TLS with server authentication, with client authentication, without encryption
> - TLS without server authentication, with client authentication, with encryption
> Different short names are applied different scenarios, making it all the more
> confusing. If we don't get this one right, we can easily delay useful results from
> the WG by two years.

If this organization proves useful, it probably belongs to #2 Applications' independent document. For the application-specific documents, similar discussion could be helpful for focusing on use cases (topologies) relevant to this application with its application clients, servers, proxies, etc. (each implementing a TLS client or a TLS server).

> 
> > 4. A document discussing (and potentially defining) how to apply the
> opportunistic encryption approach (preliminary outlined in draft-farrelll-mpls-
> opportunistic-encrypt-00.txt) to TLS. (Category TBD)
> 
> The preliminary outline in that document is transitory, and in some ways not
> easily applicable to TLS.

Sections 2.1 - 2.3 in this draft are generic and can be applicable to an arbitrary protocol. As it was pointed out in Vancouver and on the perpass list earlier, other definitions/interpretations of opportunistic encryption (OE) exist in RFCs and peoples' minds. I believe that IETF needs to agree on a conceptual meaning of OE or whatever alternative name(s) are chosen for different things. 

>Why are we not making our own definition so that we
> can apply it to TLS precisely?
> 

That is exactly what this deliverables is for; that is regardless whether we call it OE or not :-). Still, the terminology needs to be understood and consistent across the industry (at the very least, across all IETF).

> --Paul Hoffman
> _______________________________________________
> Uta mailing list
> Uta@ietf.org
> https://www.ietf.org/mailman/listinfo/uta

v2.23.0 | Report a Bug | By Email