Re: [Uta] Fwd: New Version Notification for draft-ietf-uta-tls-bcp-03.txt

Mon, 22 Sep 2014 19:17:52 -0700 

On 9/21/14, 2:15 PM, Yaron Sheffer wrote:

Dear UTA members,

We have just issued a new version of the BCP. Thanks to all who
contributed useful criticism or actual text.

Change log:

o Disallow truncated HMAC.
o Applicability to DTLS.
o Some more text restructuring.
Service names other than HTTPS (e.g., SMTPS, XMPPS) are not found in the wild and I see no reason to invent them here. 

Also, I suggest:

OLD
   document does not address the rare deployment scenarios where one of
   these three properties is not desired.

NEW
   document is not intended to directly address deployment scenarios
   where one of these three properties is not desired.


o Host name validation is sometimes irrelevant.


I suggest:

OLD
   With some protocols, the host name is obtained indirectly and in an
   insecure manner, e.g.  by an insecure DNS query for an MX record.  In
   these cases, the host name SHOULD NOT be used as a trusted identity
   even when it matches the presented certificate.

NEW
   If the host name is discovered indirectly and in an insecure manner
   (e.g., by an insecure DNS query for an MX or SRV record), it SHOULD
   NOT be used as a reference identifier [RFC6125] even when it matches
   the presented certificate.  This proviso does not apply if the host
   name is discovered securely (for further discussion, see for example
   [I-D.ietf-dane-srv] and I-D.ietf-dane-smtp]).


o HSTS: MUST implement, SHOULD deploy.


The new text says:

   o  Client and server implementations MUST support the HTTP Strict
      Transport Security (HSTS) header [RFC6797], in order to allow Web
      servers to advertise that they are willing to accept TLS-only
      clients.

I think it should say:

   o  HTTP client and server implementations MUST support the HTTP
      Strict Transport Security (HSTS) header [RFC6797], in order to
      allow Web servers to advertise that they are willing to accept
      TLS-only clients.
Since, by definition, HSTS does not apply to IMAP, POP, XMPP, and other non-HTTP application protocols. 


o Session identities are not protected, only tickets are.
o Clarified the target audience.


Thanks, Yaron!

Peter


_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta

Reply via email to