On 04/17/2018 12:43 PM, Julien ÉLIE wrote: > Hi Marc, >>>> So I kept the text there, followed by the following paragraph, >>>> in addition of moving the original last paragraph in the Security >>>> Consideration section: >>>> >>>> " These recommendations are just a part of the the recommendations in >>>> [RFC7525] that implementations and deployments of a STUN usage using >>>> TLS or DTLS SHOULD follow." >>> >>> I would instead suggest that we do something like Section 2 of RFC 7590 >>> for XMPP: >>> >>> The best current practices documented in the "Recommendations for >>> Secure Use of TLS and DTLS" [RFC7525] are included here by reference. >>> Instead of repeating those recommendations here, this document mostly >>> provides supplementary information regarding secure implementation >>> and deployment of XMPP technologies. >>> >>> Here's the rationale: RFC 7525 is likely to be updated/replaced more >>> quickly than STUNbis. If STUNbis recommends a particular cipher suite >>> that 7525bis stops recommending, in the absence of STUNter will STUN >>> implementations keep following STUNbis or will they upgrade to whatever >>> 7525bis recommends? I suggest it will be the former, which is not what >>> we want. >> >> All right, makes sense. I'll add something like this on my next >> round of reviews, most likely this Friday. > > If you're going to add some wording about including TLS best current practices, maybe you could re-use what we came up with during final RFC edition of RFC 8143 <https://tools.ietf.org/html/rfc8143>: > > 3. Recommendations > > The best current practices documented in [BCP195] apply here. > Therefore, NNTP implementations and deployments compliant with this > document are REQUIRED to comply with [BCP195] as well. > > Instead of repeating those recommendations here, this document mostly > provides supplementary information regarding secure implementation > and deployment of NNTP technologies. > > > Notably, the RFC Editor prefers referencing RFC 7525 as BCP 195 even though there currently is only one RFC in this BCP series. As other RFCs may be added in BCP 195, and we want to follow all best practices that apply, the reference should be the BCP series. > Thanks, I used the BCP as reference, and changed the SHOULD to MUST. -- Marc Petit-Huguenin Email: marc@xxxxxxxxxxxxxxxxxx Blog: https://marc.petit-huguenin.org Profile: https://www.linkedin.com/in/petithug
Attachment:
signature.asc
Description: OpenPGP digital signature
