IETF Logo Mail Archive

Re: [Uta] Adoption call for draft-sheffer-uta-rfc7525bis-00

Peter Saint-Andre <stpeter@mozilla.com> Fri, 01 May 2020 21:02 UTC

Return-Path: <stpeter@mozilla.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9B313A1C9E for <uta@ietfa.amsl.com>; Fri, 1 May 2020 14:02:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mozilla.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BkaC3j_B_dnb for <uta@ietfa.amsl.com>; Fri, 1 May 2020 14:02:41 -0700 (PDT)
Received: from mail-il1-x133.google.com (mail-il1-x133.google.com [IPv6:2607:f8b0:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F19F33A1C9F for <uta@ietf.org>; Fri, 1 May 2020 14:02:40 -0700 (PDT)
Received: by mail-il1-x133.google.com with SMTP id m5so5584917ilj.10 for <uta@ietf.org>; Fri, 01 May 2020 14:02:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mozilla.com; s=google; h=subject:to:references:from:autocrypt:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=D4Cd1lcCagiipBPKPzGMMW200nxYyq6CsHRSRqJ/y/0=; b=Pd1UMgNkqgoHPDrDwm2Bnuny4QC90J+N83KZpUD/LIeQpDVmnltoAhHCebVaF2scRY xea81agvV1pv98Je59ZPxbmAxH3mgP6aXyn0w+E7teOkFkE2f9CmWfZ3Ehp+AuhedOki 5p/Ey/S5mTrrS6IMBabzHO+l3MTBgFb4qHSMA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:autocrypt:message-id :date:user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=D4Cd1lcCagiipBPKPzGMMW200nxYyq6CsHRSRqJ/y/0=; b=DvpM1xuioIYfMYjEcHxXedEqyETA8861J06rJKcdtXM7x7wJTAg6puTTVmXyz06ZNF Xa0b/SJVEPSi0zVm4Om6QRvLfURqWO3ik1YsOv6JCLC3eiAMq8dVpst3I4MkW+6/yfW1 mKBIyyKFw+K6VMyLSKekbA4XszS4jRDpNXmHYMSt/vQLyjsCPtF6HWfa8ce+zdMRUIyT EMsYijusosr/VjHbYM15ECZQVXjnId8rQsfiq+lgqCWW99JD8A6MfTAyaTN0tMQDLqJE zuDH/YzEwXXli3Z3PrZSgGPAZEFycyj0PYDRk7/ry0tN9rGnnYJQG0mEgXWN9dRej8Mm B+IA==
X-Gm-Message-State: AGi0PubL8R6Puzl/wDtnHBFudXeKw1e0BAWlZZ45pyl/qFgOqS8M+ATW gEHzQ8aTy+DOixqjmFIGdTPzLD14TAY=
X-Google-Smtp-Source: APiQypJ3gtWNDpDh+xmC8gmbxPCdzfxC67C2SffOFH/zVk8nqq4MLKgBoGen9BV2zo8xBmbt4sLtCw==
X-Received: by 2002:a05:6e02:ca:: with SMTP id r10mr5604310ilq.41.1588366959868; Fri, 01 May 2020 14:02:39 -0700 (PDT)
Received: from dragon.local ([76.25.3.152]) by smtp.gmail.com with ESMTPSA id y70sm1667462ilk.47.2020.05.01.14.02.38 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 01 May 2020 14:02:39 -0700 (PDT)
To: Keith Moore <moore@network-heretics.com>, uta@ietf.org
References: <004801d61bae$08a61590$19f240b0$@smyslov.net> <dfe39508-b37a-f008-91d3-cb36bcb84ae1@network-heretics.com>
From: Peter Saint-Andre <stpeter@mozilla.com>
Autocrypt: addr=stpeter@mozilla.com; prefer-encrypt=mutual; keydata= mQINBFonEf4BEADvZ+RGsJoOyZaw2rKedB9pBb2nNXVGgymNS9+FAL/9SsfcrKaGYSiWEz7P Lvc97hWH3LACFAHvnzoktv+4IWHjItvhdi9kUQ3Gcbahe55OcdZuSXXH3w5cHF0rKz9aYRpN jENqXM5dA8x4zIymJraqYvHlFsuuPB8rcRIV9SKsvcy14w9iRqu770NjXfE/aIsyRwwmTPiU FQ0fOSDPA/x2DLjed/GYHem90C5vF4Er9InMqH5KAMLnjIYZ9DbPx5c5EME4zW/d648HOvPB bm+roZs4JTHBhjlrTtzDDpMcxHq1e8YPvSdDLPvgFXDcTD4+ztkdO5rvDkbc61QFcLlidU8H 3KBiOVMA/5Rgl4lcWZzGfJBnwvSrKVPsxzpuCYDg01Y/7TH4AuVkv5Na6jKymJegjxEuJUNw CBzAhxOb0H9dXROkvxnRdYS9f0slcNDBrq/9h9dIBOqLhoIvhu+Bhz6L/NP5VunQWsEleGaO 3gxGh9PP/LMyjweDjPz74+7pbyOW0b5VnIDFcvCTJKP0sBJjRU/uqmQ25ckozuYrml0kqVGp EfxhSKVqCFoAS4Q7ux99yT4re2X1kmlHh3xntzmOaRpcZsS8mJEnVyhJZBMOhqE280m80ZbS CYghd2K0EIuRbexd+lfdjZ+t8ROMMdW5L51CJVigF0anyYTcAwARAQABtCdQZXRlciBTYWlu dC1BbmRyZSA8c3RwZXRlckBtb3ppbGxhLmNvbT6JAlQEEwEIAD4WIQQ1VSPTuPTvyWCdvvRl YYwYf2gUqQUCWicR/gIbIwUJCWYBgAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRBlYYwY f2gUqdaREAChG8qU1853mP0sv2Mersns8TLG1ztgoKHvMXFlMUpNz6Oi6CjjaMNFhP7eUY4T D43+yQs7f4qCkOAPWuuqO8FbNWQ+yUoVkqF8NUrrVkZUlZ1VZBMQHNlaEwwu1CGoHsLoRohP SiZ0hpmGTWB3V6cDDK4KN6nl610WJbzE9LeKY1AxtePdJi2KM281U0Fz8ntij1jWu0gF2xU4 Sez46JDogHLWKgd0srauhcCVzZjAhiWrXp1+ryzSWYaZO8Kh8SnF1f4o6jtYikMqkxUaI5nX wvD3kNX4AMSkCAZfG7Jcfj/SLDojTcREgO87g7B9bcOOsHN4lj3lHoFV0aXpgPmjfIvAjJHu fHkXZAQAH8w0u9bgJqRn703+A4NPfLopnjegyhlNi7fQ3cMQV1H7Oj7WrB/pCcprx+1u/6Uq oTtDwWh1U5uVthVAI0QojpNWR08zABDX19TlGtVoeygaQV3CAEolxTiYQtCfVavUzUplCZ/t 3v4YiRov+NylflJd+1akyOs1IAgARf444BnoH1fotkpfXNOpp9wUXXwsQcFRdP7vpMkSCkc0 sxPNTVX3ei0QImp4NsrFdaep7LV3zEb3wkAp6KE5Qno4hVVEypULbvB0G6twNZbeRfcs2Rjp jnPb2fofvg2WhAKB20dnRfIfK8OKTD/P+JDcauJANjmekLkCDQRaJxH+ARAApPwkbOTChAQu jMvteb/xcwuL5JZElmLxIqvJhqybV7JknM+3ATyN0CTYQFvPTgIrhpk4zSn0A6pEePdK8mKK 5/aHyd7pr7rLEi1sI/X3UE8ld/E83MExksKrYbs0UX1wSQwYXU6g64KicnuP2Abqg+8wrQ18 1nPcZci9jJI75XVPnTdUpZD5aaQWGp7IJ06NTbiOk30I50ORfulgKoe4m3UfsMALFxIx3pJk oy76xC2tjxYGf+4Uq1M0iK3Wy655GrcwXq/5ieODNUcAZzvK5hsUVRodBq0Lq3g1ivQF4ba7 RQayDzlW6XgoeU49xnCr9XdZYnTnj4iaPmr2NtY6AacBwRz+bJsyugeSyGgHsnVGyUSMk8YN wZHvUykMjH21LLzIUX5NFlcumLUXDOECELCJwewui4W81sI5Sq/WDJet+iJwwylUX22TSulG VwDS+j66TLZpk1hEwPanGLwFBSosafqSNBMDVWegKWvZZVyoNHIaaQbrTIoAwuAGvdVncSQz ttC6KkaFlAtlZt3+eUFWlMUOQ9jxQKTWymyliWKrx+S6O1cr4hwVRbg7RQkpfA8E2Loa13oO vRSQy/M2YBRZzRecTKY6nslJo6FWTftpGO7cNcvbmQ6I++5cBG1B1eNy2RFGJUzGh1vlYo51 pdfSg0U1oPHBPCHNvPYCJ7UAEQEAAYkCPAQYAQgAJhYhBDVVI9O49O/JYJ2+9GVhjBh/aBSp BQJaJxH+AhsMBQkJZgGAAAoJEGVhjBh/aBSpAw0P/1tEcEaZUO1uLenNtqysi3mQ6qAHYALR Df3p2z/RBKRVx0DJlzDfDvJ2R/GRwoo+vyCviecuG2RNKmJbf1vSm/QTtbQMUjwut9mx6KCY CyKwniqdhaMBmjCfV2DB2MxxZLYMtDfx/2mY7vzAci7AkjC+RkSUByMEOkyscUydKC/ETdf9 tvI8GhTY/8Q7JSylS3lQA5pMUHiIf+KpSmqKZeBPkGc7nSKM1w1UKUvFAsyyVsiG6A/hWrTr 7tTQAl7YfjtOGE8n4IKGktvrT99bbh9wdWKZ5FdHUN9hx2Q8VP8+0lR1CH2laVFbEwCOv1vM W4cgQDLxwwpo1iOTdHBVtQDxlQ9hPMKVlB1KP9KjchxuiLc24wLmCjP3pDMml4LQxOYB34Eq cgPZ3uHvJZG309sb2wTMTWaXobWNI++ZrsRD5GTmuzF3kkx3krtrq6HI5NSaemxK6MTDTjDN Rj/OwTl0yU35eJXuuryB20GFOSUsxiw00I2hMGQ1Cy9L/+IW6Dvotd8O3LmKh2tFArzXaKLx /rZyGNurS/Go5YjHp8wdJOs7Ka2p1U31js24PMWO6hf6hIiY2WRUsnE6xZNhvBTgKOY6u0KT V6hTevFqEw7OAZDCWUoE2Ob2/oHGZCCMW5SLAMgp7eihF0kGf2S2CmpIFYXGb61hAD8SqSY7 Fn7V
Message-ID: <54812a57-4ae8-2f79-fdc0-854f481aa5e9@mozilla.com>
Date: Fri, 01 May 2020 15:02:38 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <dfe39508-b37a-f008-91d3-cb36bcb84ae1@network-heretics.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/yHs5ygh9hKCcSpAZjbILAZ76e2I>
Subject: Re: [Uta] Adoption call for draft-sheffer-uta-rfc7525bis-00
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 May 2020 21:02:54 -0000

On 4/30/20 8:59 PM, Keith Moore wrote:
> IMO RFC7525 

That ship sailed in 2015.

> and this new draft both suffer from dubious assumptions and
> make poor recommendations because of those assumptions.  In particular,
> there are many cases for which using an old version of TLS is suboptimal
> and it shouldn't be considered as secure, but it may still be better
> than deprecating old versions of TLS that might be the only ones
> supported by the peer.

I don't think we ever said anything to the contrary. BCP does stand for
*best* current practice, after all. There are many reasons why a piece
of software or hardware can't do what's currently best, but that doesn't
make it evil or in "violation".

> People do not always have the luxury of upgrading their clients and
> servers to versions that support the recent TLS.    Some legacy hardware
> has firmware that cannot be upgraded because no upgrades are
> available.   Service providers do not always have the leverage to insist
> that their customers upgrade, or the luxury of abandoning customers. etc.

For sure.

> I therefore find it difficult to make good advice of the form "don't use
> TLS version x.y" that is appropriate across all applications and all
> usage scenarios. 

Does a BCP necessarily apply to all applications and all usage
scenarios? That strikes me as an impossible goal. Am I missing something?

> Again, there's an important difference between "don't
> use TLS x.y" and "don't consider TLS x.y secure".

That's a subtlety which might be lost on the intended audience for this
document.

> I also think it's odd that there are recommendations like this that say
> "don't support TLS x.y" but say nothing about not supporting cleartext
> for protocols that still have a cleartext mode. 

The title of RFC 7525 is "Recommendations for Secure Use of TLS and
DTLS" - not "Recommendations for Secure Use of Internet Protocols". This
document assumes that you're using TLS/DTLS and provides guidelines for
how to do so most (or more) securely while striking an appropriate
balance between aspiration and reality.

>  Even SSL 1.0 is
> probably better than cleartext (at least from a security perspective, if
> not from a support burden perspective) as long as it's not trusted to be
> secure.

Yes, "as long as". There's the rub.

> So in summary, either I don't support adoption of this draft, or I
> support adoption of this draft only to the extent that it can be
> significantly changed.

Are you suggesting that it's better to stick with RFC 7525 and not
update it? Or even that the IETF should not have published a BCP on this
topic in the first place? You're welcome to submit an I-D proposing that
the IETF change RFC 7525 to Historic.

Peter

v2.23.0 | Report a Bug | By Email