Re: [Uta] Alissa Cooper's Discuss on draft-ietf-uta-tls-bcp-09: (with DISCUSS and COMMENT)

Wed, 18 Feb 2015 02:46:36 -0800 

On 02/17/2015 08:49 PM, Alissa Cooper wrote:
> Alissa Cooper has entered the following ballot position for
> draft-ietf-uta-tls-bcp-09: Discuss
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> http://datatracker.ietf.org/doc/draft-ietf-uta-tls-bcp/
> 
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> Thanks for all your work on this.
> 
> I have a quick question about how we expect this document to be used
> within the IETF. I note that the bulk of the requirements/recommendations
> are directed at implementers, not protocol designers/specs. And Section
> 4.2.1 also says:
> 
> "This document does not change the mandatory-to-implement TLS cipher
>    suite(s) prescribed by TLS or application protocols using TLS. ...
>    Implementers should consider the interoperability gain against the
>    loss in security when deploying that cipher suite.  Other application
>    protocols specify other cipher suites as mandatory to implement
>    (MTI)."
> 
> So my question is whether we should consider this document effectively
> silent about the choice of cipher suites to be used when we standardize a
> new application protocol in the IETF, or an update to an existing
> protocol. That is the impression that I get from the text right now, and
> it doesn't quite match the way we've been using/citing the document in
> some recent discussions of other drafts. On the other hand, if we're
> expecting new or updated application protocol specs to conform to or take
> into account the recommendations in this document, I think that should be
> made more clear.

I think there is a very clear difference between MTI and deployment
best practice and the text above is trying to express that difference.

I don't think UTA wants a piece of the action over at CFRG - that group
doesn't need another set of "helpful" hands IMHO :-)

        Cheers Leif


_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta

Reply via email to