IETF Logo Mail Archive

Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-07.txt

Yaron Sheffer <yaronf.ietf@gmail.com> Fri, 27 May 2022 11:33 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22107C159A3B for <uta@ietfa.amsl.com>; Fri, 27 May 2022 04:33:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MZnftAB8zFDf for <uta@ietfa.amsl.com>; Fri, 27 May 2022 04:33:08 -0700 (PDT)
Received: from mail-io1-xd2b.google.com (mail-io1-xd2b.google.com [IPv6:2607:f8b0:4864:20::d2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB230C159494 for <uta@ietf.org>; Fri, 27 May 2022 04:33:08 -0700 (PDT)
Received: by mail-io1-xd2b.google.com with SMTP id a10so4336750ioe.9 for <uta@ietf.org>; Fri, 27 May 2022 04:33:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=user-agent:date:subject:from:to:message-id:thread-topic:references :in-reply-to:mime-version:content-transfer-encoding; bh=XM0BOzMj9KZNEmvwyGBsIc6AYNEGQzxO8cIguMsZubY=; b=IHE2DmXdhcAhlPbveW9GiLip6ILmS7u/6QVZDypizFe77QrqCZyowalXLROxPEdH6N J85Osc1h76HKMxQCN7JxfUONVF4tA/dx8bX3qRKp8G2bpYuFMI4s/ufrl8B5OpTrHE+R m4mcWQUh709hDRr5OKk3NXJhZA/anRNIWBKybF/WSG76pg5CzBSX7DEDHlgKBceclvgF JB9mhQ2UDJFqu4xDL0fJARDUeGSIDhU9daZhHEFFwQlHTHv59caQOpW1PwUeTUnpiY6B uE2TCxOZHOlg3cnXvgIh/4CNekf7Oo4NxNhOs9njxwbullEwTo4D4gucl8OTVrddICJO 2Aqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:user-agent:date:subject:from:to:message-id :thread-topic:references:in-reply-to:mime-version :content-transfer-encoding; bh=XM0BOzMj9KZNEmvwyGBsIc6AYNEGQzxO8cIguMsZubY=; b=KkiYPBZhxrjZc+8j3sml9vhd2aAz5nEhX8LPm57YZYMdvH9fLcU1ttasZXHbz1Jm+h /E8p5vZuzCiNZEDs7h+WHEUfJLAYCwoD4Ah3dl4axn6gkIjprYh5Agi3bLA2Q5Tx94ev qsKNIe6AD4PEdBXH0PB2NdmafxnCI5+5EHbhFDsPUgwXrgeaPajxbhlm7O/bpOEzCEdf GCsyNkjagAJDVStwpbkoTdgzMCFWIERrhuiT7r2o46inUqj2TpSykBdnNI3Pt7jFmD5Z qdDw28o9nkK1jIa69ELGjwiKXqa+Yzvg1GTyNOQA6xDYseQPeYiBu4v0CuFMXnSoHrrT ssUw==
X-Gm-Message-State: AOAM5317OPSn5OmeNJIoydgG/Dn28PqpQ3NTP+NYpPM8Xiq4FQCffz7n MG481vVHeYgoRu4uzmTlBqthEys4nH0=
X-Google-Smtp-Source: ABdhPJwqzp8fOFdFegC3q02oYTamSoV0OcipYHb4TMU9oKNCRjIb6ctFASCJj2yGHI64dZuBo6K94A==
X-Received: by 2002:a05:6638:25ca:b0:32e:2177:584b with SMTP id u10-20020a05663825ca00b0032e2177584bmr22056923jat.70.1653651187013; Fri, 27 May 2022 04:33:07 -0700 (PDT)
Received: from [192.168.68.100] (IGLD-84-229-147-76.inter.net.il. [84.229.147.76]) by smtp.gmail.com with ESMTPSA id cv11-20020a056638498b00b0032ea3ba170dsm500904jab.86.2022.05.27.04.33.04 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 27 May 2022 04:33:05 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.61.22050700
Date: Fri, 27 May 2022 14:33:01 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: Martin Thomson <mt@lowentropy.net>, uta@ietf.org
Message-ID: <4295216E-E7A5-4A73-B292-E5E46A88EFCB@gmail.com>
Thread-Topic: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-07.txt
References: <165360014937.7348.791812490092301727@ietfa.amsl.com> <CC2019E7-BD6A-4F65-A59F-42B9E79468B0@gmail.com> <02b1cdfa-02f2-43cd-8066-fb36f9e30164@beta.fastmail.com>
In-Reply-To: <02b1cdfa-02f2-43cd-8066-fb36f9e30164@beta.fastmail.com>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/uHVEPd2BCgfdfe2TI5zMme2LJCc>
Subject: Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-07.txt
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 May 2022 11:33:11 -0000

Thanks! Opened https://github.com/yaronf/I-D/issues/350

	Yaron

On 5/27/22, 09:21, "Martin Thomson" <mt@lowentropy.net> wrote:

    I made some comments in discussion of 6125bis that I think this document should address.

    Basically, the document would benefit from a discussion on multi-server deployments in a few arrangements:

    * deployments where multiple servers speak for the same names, but with different protocols.  ALPACA showed us that cross-protocol confusion, particularly for protocols that do not define the use of ALPN, can be exploited by directing protocols toward endpoints that use different protocols

    * deployments where multiple servers and services with overlapping names that have different TLS configurations.  DROWN showed us that the security of these servers depends on the *weakest* server configuration.  If the weak instance can be attacked, that affects all services that share the same name.  This depends a little on the nature of the attack. An attack like this can render ALPN protections useless.

    See also https://github.com/richsalz/draft-ietf-uta-rfc6125bis/issues/43

    On Fri, May 27, 2022, at 07:26, Yaron Sheffer wrote:
    > This version addresses numerous comments, mostly (but not always) 
    > editorial, by Francesca and Paul W.
    >
    > As a reminder, the document is in IETF LC until May 30.
    >
    > Thanks,
    > 	Yaron
    >
    >
    > On 5/27/22, 00:22, "uta-bounces@ietf.org on behalf of 
    > internet-drafts@ietf.org" <uta-bounces@ietf.org on behalf of 
    > internet-drafts@ietf.org> wrote:
    >
    >
    >     A New Internet-Draft is available from the on-line Internet-Drafts 
    > directories.
    >     This draft is a work item of the Using TLS in Applications WG of 
    > the IETF.
    >
    >             Title           : Recommendations for Secure Use of 
    > Transport Layer Security (TLS) and Datagram Transport Layer Security 
    > (DTLS)
    >             Authors         : Yaron Sheffer
    >                               Peter Saint-Andre
    >                               Thomas Fossati
    >     	Filename        : draft-ietf-uta-rfc7525bis-07.txt
    >     	Pages           : 39
    >     	Date            : 2022-05-26
    >
    >     Abstract:
    >        Transport Layer Security (TLS) and Datagram Transport Layer Security
    >        (DTLS) are widely used to protect data exchanged over application
    >        protocols such as HTTP, SMTP, IMAP, POP, SIP, and XMPP.  Over the
    >        years, the industry has witnessed several serious attacks on TLS and
    >        DTLS, including attacks on the most commonly used cipher suites and
    >        their modes of operation.  This document provides the latest
    >        recommendations for ensuring the security of deployed services that
    >        use TLS and DTLS.  These recommendations are applicable to the
    >        majority of use cases.
    >
    >        An earlier version of this document was published as RFC 7525 when
    >        the industry was in the midst of its transition to TLS 1.2.  Years
    >        later this transition is largely complete and TLS 1.3 is widely
    >        available.  This document updates the guidance given the new
    >        environment and obsoletes RFC 7525.  In addition, the document
    >        updates RFC 5288 and RFC 6066 in view of recent attacks.
    >
    >
    >     The IETF datatracker status page for this draft is:
    >     https://datatracker.ietf.org/doc/draft-ietf-uta-rfc7525bis/
    >
    >     There is also an HTML version available at:
    >     https://www.ietf.org/archive/id/draft-ietf-uta-rfc7525bis-07.html
    >
    >     A diff from the previous version is available at:
    >     https://www.ietf.org/rfcdiff?url2=draft-ietf-uta-rfc7525bis-07
    >
    >
    >     Internet-Drafts are also available by rsync at 
    > rsync.ietf.org::internet-drafts
    >
    >
    >     _______________________________________________
    >     Uta mailing list
    >     Uta@ietf.org
    >     https://www.ietf.org/mailman/listinfo/uta
    >
    >
    > _______________________________________________
    > Uta mailing list
    > Uta@ietf.org
    > https://www.ietf.org/mailman/listinfo/uta

v2.23.0 | Report a Bug | By Email