On Sat, Dec 7, 2024 at 12:14 AM John Mattsson <john.mattsson= 40ericsson....@dmarc.ietf.org> wrote:
> Muhammad Usama Sardar wrote: > > >Do we have an I-D which defines how long do we consider as long-term > connections? or I-D which gives recommendations or best practices for how > long do we consider TLS 1.3 to provide excellent security? > > > > - One clear timepoint is when the server certicate expires. TLS 1.3 > removed the ability to do server reauthentication. > - RFC 4253 recommends rekeying with PFS after each gigabyte of transmitted > data or after each hour of connection time. > - French ANSSI recommends periodic rekeying with PFS, e.g. every hour and > every 100 GB of data, in order to limit the impact of a key compromise. > > https://cyber.gouv.fr/sites/default/files/2015/09/NT_IPsec_EN.pdf > TLS 1.3 KeyUpdate provides forward security: if you recover key N+1, you do not get key N. What it does not provides is post-compromise security, namely, if you recover key N, then you also can recover key N+1, etc. PCS requires a new asymmetric exchange. -Ekr > > > >If the intention of draft was #2 above, cross-reading with this sentence, > are we implying that PQC is not an urgent security issue? > > > > That is a very good point. I suggest changing this to > > OLD: “This document specifies that outside of urgent security fixes, no > new features will be approved for TLS 1.2” > > NEW: “This document specifies that, no new features will be approved for > TLS 1.2” > > (TLS WG can always make a future RFC overriding this anyway…) > > > > >It looks like a more detailed version of tls12-frozen draft. Is there a > good reason not to merge the two documents? > > > > I had the same thought. I think they would be better as a single document. > But I don’t care very much. > > > > >What does the capitalization of WILL NOT mean? > > > > Yes, and it is not in RFC 6919 either… ;) > > > > Cheers, > John > > > > *From: *Muhammad Usama Sardar <muhammad_usama.sar...@tu-dresden.de> > *Date: *Friday, 6 December 2024 at 18:33 > *To: *Valery Smyslov <smyslov.i...@gmail.com>, 'Sean Turner' < > s...@sn3rd.com>, 'TLS List' <tls@ietf.org> > *Subject: *[TLS] Re: Working Group Last Call for TLS 1.2 is in Feature > Freeze > > A few quick questions. Sorry if I am missing something obvious or some > background. > > On 04.12.24 08:04, Valery Smyslov wrote: > > note, that UTA WG has issued a WGLC for draft-ietf-uta-require-tls13-02 (New > Protocols Must Require TLS 1.3) [1]. > > > > [1] https://datatracker.ietf.org/doc/draft-ietf-uta-require-tls13/ > > Thanks for pointer to this. It looks like a more detailed version of > tls12-frozen draft. Is there a good reason not to merge the two documents? > Is it due to different WGs? or different intended status? or something > else? > > > > > > On 04.12.24 10:36, John Mattsson wrote: > > as-is, TLS 1.3 does not provide excellent security for long-term > connections. > > Do we have an I-D which defines *how long* do we consider as long-term > connections? or I-D which gives recommendations or best practices for *how > long *do we consider TLS 1.3 to provide excellent security? > > --- > > Considering the following two statements in I-D, I have two questions: > > > For TLS it is important to note that the focus of these efforts is > > > TLS 1.3 or later. Put bluntly, post-quantum cryptography for TLS 1.2 > > > WILL NOT be supported. > > To me the two sentences are contradicting. Which one of the following is > intended? > > 1. (My understanding from 1st sentence) Some PQC support for TLS 1.2 > will still continue but it will not be the focus. > 2. (My understanding from 2nd sentence) We will exclusively work on > PQC for TLS 1.3 or later. > > What does the capitalization of WILL NOT mean? I did not find any such > capitalization in RFC 2119 and RFC 8174. Please add the relevant RFC in > section 2 or define it. > > > This > > > document specifies that outside of urgent security fixes, no new > > > features will be approved for TLS 1.2. > > If the intention of draft was #2 above, cross-reading with this sentence, > are we implying that PQC is not an urgent security issue? > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-le...@ietf.org >
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org