'Re: [TLS] Draft minutes for TLS at IETF 108'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ietf-tls
Subject:    Re: [TLS] Draft minutes for TLS at IETF 108
From:       tom petch <ietfc () btconnect ! com>
Date:       2020-08-13 11:33:38
Message-ID: AM7PR07MB62483161975C90725F73705AA0430 () AM7PR07MB6248 ! eurprd07 ! prod ! outlook ! com
[Download RAW message or body]

From: Benjamin Kaduk <bkaduk@akamai.com>
Sent: 11 August 2020 18:06

On Wed, Aug 05, 2020 at 10:30:39AM +0000, tom petch wrote:
> From: TLS <tls-bounces@ietf.org> on behalf of Christopher Wood \
>                 <caw@heapingbits.net>
> Sent: 04 August 2020 19:16
> 
> The official minutes are now up:
> 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_minute \
> s-2D108-2Dtls_&d=DwICAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=sssDLkeEEBWNIXmTsdpw8TZ3tAJx-Job4 \
> p1unc7rOhM&m=bJwecPEDnXCm7Huw2ovjHwHyzCjhyu2kGMG-qijduH0&s=ksaUzUpfyd4LFplcfnjfXdGBN-jTrMiqS2Z1vk_Iftw&e=
>  
> <tp>
> What is Benjamin talking about at the end?
> 
> It looks as if you are proposing action on all or some RFC that have TLS 1.0 or 1.1 \
> as MTI, related to oldversions-deprecate but that is a guess from reading between \
> the lines and that topic is a live one for me so I would appreciate clarity.

oldversions-deprecate is already taking action on all RFCs that have TLS 1.0 or
1.1 as MTI (there are some 80-odd documents in the Updates: header).  The
particular itesm I was mentioning in the meeting relate to various subsets of
those documents that may need some additional handling on top of the basic
"don't use TLS 1.0/1.1; use 1.2 and 1.3 instead" that is currently the content
of the updates.  Details are at \
https://mailarchive.ietf.org/arch/msg/tls/K9_uA6m0dD_oQCw-5kAbha-Kq5M/ So:

- RFC 5469 defines DES and IDEA ciphers that are not in TLS 1.2; the
  document as a whole should be historic

- The downgrade-detection SCSV of RFC 7507 is probably in a similar boat

- We should be more clear about "if the document being updated says you
  MUST use TLS 1.0/1.1, that part is removed"
<tp>
Benjamin

This is the bit I could not guess; the rest of the minutes I could guess but your \
explanation is much easier to understand.  I have been tracking 'diediedie', \
including the AD review, since it first appeared and more a comment on that for \
Kathleen and Stephen is that RFC5953 does not get a mention although since it is \
Obsoleted and the Normative Reference is to RFC4347 then that is a category that does \
not seem to fit in any of the paragraphs of the I-D;  Obsolete and TLS1.0 yes, \
Obsolete and DTLS1.0 no. 

RFC6353 I did expect to find; Internet Standard, STD0078, Normative Reference to \
RFC4347; the Security Considerations of that RFC say 'MUST NOT negotiate SSL 2.0' \
which might not be considered sufficiently strong for 2020 but how do you update a \
Standard?

Tom Petch

- No change proposed w.r.t. MTI ciphers (even though the old MTI ciphers
  are no longer considered very good)

Were there additional specific items you were unsure about?

-Ben

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

[prev in list] [next in list] [prev in thread] [next in thread] 