Re: [Last-Call] Secdir telechat review of draft-ietf-uta-rfc7525bis-09

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 7/12/22 5:29 PM, Benjamin Kaduk via Datatracker wrote:
Reviewer: Benjamin Kaduk
Review result: Ready

I looked over the updates from -07 to -09, and they all look good.
I recognize that not all of my previous comments resulted in any text
changes, and appreciate that they were given consideration and the
conscious choice made to not act.  I'd also like to thank the editors
for their efforts to proactively tag me in the github discussion that my
earlier review triggered, and I apologize for not keeping up with that
traffic as it came in.

I do have one comment on the new text:

Section 3.9

Thanks for adding the section on mulit-server deployment, that's a great
addition!  In the (first) "multiple services" case, we might also want
to mention that the protection of credentials (certificate private keys)
is a shared attack surface across services, so when we say "provide
equivalent levels of security" we might clarify that we consider both
the TLS configuration and the protections against server compromise as
being relevant.

Good catch:

https://github.com/yaronf/I-D/issues/435

I like your suggestion of "equivalent levels of security (including both the TLS configuration and the protections against server compromise)"

I'll also repeat one comment from my earlier review to make it more visible
to the ADs.  I acknowledge that the authors already responded to it and
that the same reply continues to apply; I do not expect that repeating my
statement will be any more convincing than it was the first time.

Section 3.1.1

    *  Implementations MUST support TLS 1.2 [RFC5246] and MUST prefer to
       negotiate TLS version 1.2 over earlier versions of TLS.
       [...]
    *  Implementations SHOULD support TLS 1.3 [RFC8446] and, if
       implemented, MUST prefer to negotiate TLS 1.3 over earlier
       versions of TLS.

It's very disappointing to me to see that we label a TLS 1.3-only
implementation as non-compliant with the BCP for TLS usage; such an
implementation is more secure than a joint 1.2+1.3 implementation.
That said, I assume that the WG discussed this topic extensively and
it seems somewhat unlikely that I have any new contributions to that
discussion.

Even the authors are sometimes disappointed by what ends up in a BCP - I know I felt that way about both RFC 6125 (wildcard certs!) and RFC 7525.

Personally I would be comfortable with changing TLS 1.3 from SHOULD support to MUST support, but we'd need to see what the WG thinks.

Peter

--
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux