I've read this draft. Overall, I support publication of this draft or a revised
version as a BCP.
Minor issues (not issues I consider blocking):
* I'd like a single list/table of TLS extensions that implementers/operators
need to consider seriously included. It's fine if it just includes references
to the RFC (or section of this BCP) where the detailed rules live. This makes
it easier to navigate through the RFCs.
Section 3.4:
> o Implementations MUST NOT negotiate RC4 cipher suites
I'd prefer to have this statement added: "unless the only alternative would be
an unencrypted connection"
Nits to improve specification (not issues I consider blocking).
Section 1: Introduction
> Transport Layer Security (TLS) and Datagram Transport Security Layer
This should include appropriate references
TLS => RFC 5246 + RFC 5746
DTLS => RFC 6347
> protocols such as HTTP, SMTP, IMAP, POP, SIP, and XMPP. Over the
These should include appropriate references where possible.
HTTP => RFC 7230
SMTP => RFC 3207
IMAP => RFC 3501
POP3 => RFC 2595
XMPP => RFC 6120
> standardized and deployed in the field, should resolve the current
> vulnerabilities while providing significantly better functionality,
> and will very likely obsolete this document.
I suggest deleting the last clause. No need to predict the future. I am also
unsure if the TLS WG wants the responsibility of replacing all the material in
this draft when TLS 1.3 is published.
- Chris
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
