On 7/21/14, 1:55 PM, Alexey Melnikov wrote:
I've read this draft and I support its publication as a BCP.
I have one minor issue:
In 3.3, first paragraph:
Combining unprotected and TLS-protected communication opens the way
to SSL Stripping and similar attacks. In cases where an application
protocol allows implementations or deployments a choice between
strict TLS configuration and dynamic upgrade from unencrypted to TLS-
protected traffic (such as STARTTLS), clients and servers SHOULD
prefer strict TLS configuration.
Is this text recommending use of TLS on a separate port (e.g. IMAPS),
that STARTTLS should always be used (and remembered, in order to prevent
downgrade attacks) or both? I would like this text to be clarified to be
unambiguous.
As I understand it, the text is recommending that implementations prefer
the use of TLS on a separate port where available, and prefer not to use
STARTTLS (or similar). Naturally this applies only to application
protocols that support both TLS-on-a-separate-port and
upgrade-from-unsecured-to-secured.
Peter
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
