[Uta] Comments as draft-rsalz-uta-require-tls13
Alan DeKok <aland@deployingradius.com> Mon, 25 March 2024 10:36 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EBADC14F685 for <uta@ietfa.amsl.com>; Mon, 25 Mar 2024 03:36:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G3SlJhmK0_Hd for <uta@ietfa.amsl.com>; Mon, 25 Mar 2024 03:36:09 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7686C14F603 for <uta@ietf.org>; Mon, 25 Mar 2024 03:36:07 -0700 (PDT)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id D0D2820A for <uta@ietf.org>; Mon, 25 Mar 2024 10:36:04 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
From: Alan DeKok <aland@deployingradius.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Message-Id: <3E6241EB-24CB-4B42-9B7F-7AB32DCC290C@deployingradius.com>
Date: Mon, 25 Mar 2024 06:36:03 -0400
To: uta@ietf.org
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/zFuhbAU188ptI_re_lFtwb24Vj4>
Subject: [Uta] Comments as draft-rsalz-uta-require-tls13
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2024 10:36:13 -0000
Speaking as non-chair (and my first post to the list). There were a number of comments in Brisbane about managing default TLS versions. While the comments made different proposals, I don't think that they were substantially different. I'll try to clarify my understanding here. I'll divide the comments into two areas: 1) standards New standards MUST require TLS 1.3 or higher. New standards MAY be compatible with TLS 1.2. 2) implementations Implementations of new standards MUST default to using TLS 1.3 or higher. These implementations SHOULD have a way to configure the minimum allowable TLS version to use. If this setting is configurable, any default example MUST use TLS 1.3. If the TLS versions are not set in any configuration, then the implementation MUST use TLS 1.3 or higher. There are a number of ways to support this functionality. One common way is to allow the administrator to set "minimum allowed TLS version" and "maximum allowed TLS version". For examples, see: https://www.openssl.org/docs/man1.1.1/man3/SSL_set_min_proto_version.html https://github.com/FreeRADIUS/freeradius-server/blob/release_3_2_3/raddb/mods-available/eap#L497 Apache only supports setting the minimum TLS version: https://httpd.apache.org/docs/2.4/mod/mod_tls.html wpa_supplicant has explicit flags to enable / disable each TLS version: https://w1.fi/cgit/hostap/tree/wpa_supplicant/wpa_supplicant.conf?h=hostap_2_10#n1358 Of the different methods, I think the wpa_supplicant method is the least preferred. Alan DeKok.
- [Uta] Comments as draft-rsalz-uta-require-tls13 Alan DeKok
- Re: [Uta] Comments as draft-rsalz-uta-require-tls… Alan DeKok
- Re: [Uta] Comments as draft-rsalz-uta-require-tls… Salz, Rich
- Re: [Uta] Comments as draft-rsalz-uta-require-tls… Salz, Rich
- Re: [Uta] Comments as draft-rsalz-uta-require-tls… David Benjamin