Dear list, Two remarks from me for now - maybe the second one is minor:
1) Section 6.5 - OCSP stapling as per RFC6066 has a second short-coming: it does not protect intermediate certs. RFC6961 fixes this. Unfortunately, I am not sure how many implementations already implement it (it's from 2013). Still, if we're going to have stapled OCSP in there, I'd call support for both RFC6066 and 6961 at least a SHOULD. Opinions? 2) Section 3.3 - We write SHOULD for HSTS. We could think about a MUST - it seems to be better supported by clients now, is relatively easily enabled, and its existence ought not harm any clients that do not understand it. I don't have strong feelings about it, though. Ralph On 08/24/2014 09:53 PM, Yaron Sheffer wrote: > Dear UTA folks, > > This is a relatively large revision. The change log: > > - Rearranged some sections for clarity and re-styled the text so that > normative text is followed by rationale where possible. > - Removed the recommendation to use Brainpool curves. > - Triple Handshake mitigation. > - MUST NOT negotiate algorithms lower than 112 bits of security. > - MUST implement SNI, but use per local policy. > - Changed SHOULD NOT negotiate or fall back to SSLv3 to MUST NOT. > - Added hostname validation. > - Non-normative discussion of DH exponent reuse. > > Thanks, > Yaron > > -------- Forwarded Message -------- > Subject: New Version Notification for draft-ietf-uta-tls-bcp-02.txt > Date: Sun, 24 Aug 2014 12:49:11 -0700 > From: [email protected] > To: Yaron Sheffer <[email protected]>, Ralph Holz > <[email protected]>, Peter Saint-Andre <[email protected]>, Ralph Holz > <[email protected]>, Peter Saint-Andre <[email protected]>, Yaron Sheffer > <[email protected]> > > > A new version of I-D, draft-ietf-uta-tls-bcp-02.txt > has been successfully submitted by Yaron Sheffer and posted to the > IETF repository. > > Name: draft-ietf-uta-tls-bcp > Revision: 02 > Title: Recommendations for Secure Use of TLS and DTLS > Document date: 2014-08-24 > Group: uta > Pages: 17 > URL: http://www.ietf.org/internet-drafts/draft-ietf-uta-tls-bcp-02.txt > Status: https://datatracker.ietf.org/doc/draft-ietf-uta-tls-bcp/ > Htmlized: http://tools.ietf.org/html/draft-ietf-uta-tls-bcp-02 > Diff: http://www.ietf.org/rfcdiff?url2=draft-ietf-uta-tls-bcp-02 > > Abstract: > Transport Layer Security (TLS) and Datagram Transport Security Layer > (DTLS) are widely used to protect data exchanged over application > protocols such as HTTP, SMTP, IMAP, POP, SIP, and XMPP. Over the > last few years, several serious attacks on TLS have emerged, > including attacks on its most commonly used cipher suites and modes > of operation. This document provides recommendations for improving > the security of both software implementations and deployed services > that use TLS and DTLS. > > > > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > > > _______________________________________________ > Uta mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/uta -- Ralph Holz I8 - Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ Phone +49.89.289.18043 PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
