Hi Peter,
I understand the need for multiple BCPs, I just want to minimize
conflicts between them, and we will need a lot of communication to do that.
There's a bunch of process questions that we'll need to discuss over
time (Informational vs. PS etc.), but let's postpone this stuff.
Lastly, my view of the TLS BCP document is as an interim measure, until
TLS 1.3 comes around and until the industry adopts it. Yes, this could
be 2-3 years or possibly more. App-level BCPs should IMHO anticipate
this migration from TLS 1.2 augmented by the BCP (essentially a profile)
into TLS 1.3.
Thanks,
Yaron
On 2013-10-24 21:03, Peter Saint-Andre wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/23/13 6:02 AM, Stephen Farrell wrote:
On 10/23/2013 12:52 PM, Alexey Melnikov wrote:
Hi Stephen,
On 22/10/2013 17:46, Stephen Farrell wrote:
Yep, that's a useful post - we shouldn't rush too much, but we
do want to get things done so that developers and deployers
have something to use.
I wonder what's the best way to proceed with this kind of
stuff. I guess we want a BCP of some sort, but the question is
how to handle the various different cases of foo-with-tls.
- Yaron did a generic TLS BCP draft. [1] - PSA did an XMPP TLS
BCP draft [2] - This sounds like we might want an SMTP TLS BCP
draft or perhaps to add text to [3], but that's aiming for
experimental and is just about using DANE.
I think some generic fallback rules can be protocol independent.
But needs of different protocols might be different. For example
backward compatibility with deployed TLS ciphers might be
different for XMPP and SMTP.
Sounds reasonable. I guess even if they have the same libraries the
update cycles might differ. (Anyone know?)
I expect that the update cycles are indeed different.
I don't particularly *want* to have different BCPs for different
protocols, and personally I'd like to see as much commonality as
possible (with everyone pointing to Yaron's generic document).
However, there are some application-level differences (e.g., with
regard to session resumption) and each community (email, IM, web,
etc.) has had a different experience with the use of TLS, including
varying release schedules or willingness to release more often, use of
STARTTLS vs. separate ports, bigger or smaller networks, more or less
diverse developer community (e.g., with no one dominant implementation
or small set of implementations), client-to-server only communications
vs. also server-to-server federation, varying user expectations, etc.
I think SMTP TLS BCP would be a good idea. I think it should be
independent of DANE, because of the status of the DANE document.
I would be happy to work on it (and would be happy to collaborate
with PSA to discuss similarities and differences).
Great. Let's talk in YVR about how to get that done so its a real
BCP that gets followed in the wild. If someone else is up for
helping I guess contact Alexey.
Before this thread emerged, I suggested the idea of having a chat
about this topic during the AppsArea session on Monday morning (and
BTW there are no SEC area sessions opposite). That might be a good
place to start.
Peter
- --
Peter Saint-Andre
https://stpeter.im/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJSaWD/AAoJEOoGpJErxa2p9/0P/1BVxsw8CBDfzv+hlT4Gg8vo
Jh3lPmEDuLnolqulFFUnFWos83egKabC/aGZ02i4YoAOzKhA48OIgKgjxaqA99H1
qzt/84s/C0m2z4iXG/AUCxI6TuLh2VoZkjJTVG//wFHVkde0Ooa8kv09g6yeOsmO
DD6iPEft4tSrvZM6F9dQTZuciBza/nFpq5pJ8EZHwnMKQgmPp2W9gtd7+ua/BDwL
w2CbxeJ8pGiDVXu9wjLenYVrapHs0Ul5zCNfmX0fK3qSijdlz4iUAC9+vrZF+Jnv
ufvvGhNZwMlmmMLguQnyFoFAmf7uleHiufuIyAVn27Aa9tUWUQtNNS2CBx3NFxs2
iozYIyYOdjRC8D3fXNe+kmauVhTZtYx6yjKIvZdWpFLtBYo2MzWBUyJ/zzx+7dx4
5Y2oqphKedZzSkW2dRlqCqCJ52Wiv2mCwDtuUfx3XEeVxDezcSMLtrLc7sTvQ8wK
22YoU42+maHk0V7Ggzdb0avrK9/SSRQ7rJnvVANUWzMlYYLZSMgHsUXEwhetYYyO
vAIwLvEkdckMLaLLN672rHHzY7WyJWhQUmDxb16FEWeLayAOOjAAWNcdGu86ehpF
/T/WXIIrD4msirRCJEvpVe0lihIWoQHAX6ZyJcsjGGU5rrrM5JwdPJS+PpkxvG00
8EU5HwKYOSngShp+vzu3
=4/i5
-----END PGP SIGNATURE-----
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
