Hannes, This BCP is not targeted to Web applications alone, rather it is an applications' independent document recommending best existing and future practices for using TLS. Please see the discussion on the UTA's charter and the scope of each deliverable from January 2014 here: http://www.ietf.org/mail-archive/web/uta/current/msg00053.html.
The following paragraph from the BCP Introduction says: "These are minimum recommendations for the use of TLS in the vast majority of implementation and deployment scenarios, with the exception of unauthenticated TLS (see Section 5). Other specifications that reference this document can have stricter requirements related to one or more aspects of the protocol, based on their particular circumstances (e.g., for use with a particular application protocol); when that is the case, implementers are advised to adhere to those stricter requirements." In addition, Section 5 contains the detailed discussion on the applicability of this BCP to various application protocols. XMPP is an example of an application to rely on the BCP as the baseline and specify further clarifications and/or deviations in https://tools.ietf.org/html/draft-ietf-uta-xmpp-03 . Email application (with its various entities and protocols) is the next on the UTA agenda. It would be great to see IoT following the same path, i.e. using the BCP baseline recommendations, either within or outside of UTA. Thanks, Orit. > -----Original Message----- > From: Uta [mailto:[email protected]] On Behalf Of Hannes Tschofenig > Sent: Saturday, November 15, 2014 4:51 PM > To: Leif Johansson; [email protected] > Subject: Re: [Uta] Recommendations for Secure Use of TLS and DTLS > > Here is a suggestion: > > Title: "Recommendations for Secure Use of TLS in the Web" > > Abstract: > > Transport Layer Security (TLS) is widely used to protect data exchanged > over application protocols such as HTTP, SMTP, IMAP, POP, SIP, and XMPP. > Over the last few years, several serious attacks on TLS have emerged, > including attacks on its most commonly used cipher suites and modes of > operation. This document provides recommendations for improving the > security of deployed services that use TLS. The recommendations are > applicable to the majority of use cases. > Recommendations for other environments, such as Internet of Things, XMPP > and Email, can be found in other specifications. > > > On 11/14/2014 09:37 PM, Leif Johansson wrote: > > On 2014-11-14 20:57, Hannes Tschofenig wrote: > >> I have a small request for "Recommendations for Secure Use of TLS > >> and DTLS" <draft-ietf-uta-tls-bcp-07>: Could you please change the > >> scope of the document so that it does not collide with the work we > >> do in DICE. > > > >> Your recommendations, as stated in the abstract, focus on the > >> Web/messaging/email space rather than the Internet of Things > >> space. > > > > > > Hannes, > > > > The document is in its second WGLC. If you want to suggest changes, > > please provide concrete text. > > > > Cheers Leif > > > > > > _______________________________________________ > > Uta mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/uta > > _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
