Hannes, I am commenting on this and the related thread. The strong interest in the UTA work (e.g., the number of experts in different areas, who contributed to the bcp and the pressure to publish this bcp ASAP coming from multiple constituencies) indicate that the merits of publishing this document overweight your concern about confusing the community.
The goal of UTA is to document the best practices for using TLS (and using DTLS where it follows the TLS design) based on the lessons learned from a range of popular applications that have been using TLS for quite some time. The idea behind the bcp is to analyze the situation and to provide guidance for those application communities that choose to use this information as an input to their application-specific recommendations. It is up to these communities to decide whether to extend, amend, or ignore the bcp altogether. I believe that the existing text in the Introduction is very clear about that. In the same time, TLS/DTLS features or modes of operations that haven't been deployed in various real life scenarios (yet), are left for future study to the most parts. DTLS with SIP and IoT are some of such examples. The next version of the bcp would certainly benefit if the experts in additional applications using TLS/DTLS share their experience and contribute to UTA going forward. Cheers, Orit. > -----Original Message----- > From: Hannes Tschofenig [mailto:[email protected]] > Sent: Tuesday, December 09, 2014 2:37 AM > To: Orit Levin (LCA); Leif Johansson; [email protected] > Subject: Re: [Uta] Recommendations for Secure Use of TLS and DTLS > > Hi Orit, > > On 11/16/2014 05:44 AM, Orit Levin (LCA) wrote: > > In addition, Section 5 contains the detailed discussion on the > > applicability of this BCP to various application protocols. XMPP is > > an example of an application to rely on the BCP as the baseline and > > specify further clarifications and/or deviations in > > https://tools.ietf.org/html/draft-ietf-uta-xmpp-03 . Email > > application (with its various entities and protocols) is the next on > > the UTA agenda. It would be great to see IoT following the same path, > > i.e. using the BCP baseline recommendations, either within or outside > > of UTA. > > The problem is only that the communication and usage model of different > application protocols are very different. > > Where do you best see this difference? For example, the UTA BCP > completely lacks the discussion about client authentication in TLS. This > is of course not very surprising if you come from an XMPP, Web, Email > world where client authentication happens at the application layer. > > When it comes to the recommendations for the use of DTLS let us look at > the DTLS use in SIP. The problem there is that (a) the community that > has experience with DTLS in SIP (and media security in particular) is > not on this list and (b) there is not that much experience with DTLS in > SIP in the first place (at least compared to the experience of using TLS > in XMPP, Email and on the Web). Finally, again related to the > communication model one has to point out that the use of DTLS for SRTP > in SIP is not following the classical client-sever model but rather a > peer-to-peer model (as described in RFC 5763). For the use of DTLS in > WebRTC we can hardly speak about best current practice when we are > currently at the point of "oh it rings". > > Ciao > Hannes _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
