Thanks! Opened https://github.com/yaronf/I-D/issues/350
Yaron
On 5/27/22, 09:21, "Martin Thomson" <m...@lowentropy.net> wrote:
I made some comments in discussion of 6125bis that I think this document
should address.
Basically, the document would benefit from a discussion on multi-server
deployments in a few arrangements:
* deployments where multiple servers speak for the same names, but with
different protocols. ALPACA showed us that cross-protocol confusion,
particularly for protocols that do not define the use of ALPN, can be exploited
by directing protocols toward endpoints that use different protocols
* deployments where multiple servers and services with overlapping names
that have different TLS configurations. DROWN showed us that the security of
these servers depends on the *weakest* server configuration. If the weak
instance can be attacked, that affects all services that share the same name.
This depends a little on the nature of the attack. An attack like this can
render ALPN protections useless.
See also https://github.com/richsalz/draft-ietf-uta-rfc6125bis/issues/43
On Fri, May 27, 2022, at 07:26, Yaron Sheffer wrote:
> This version addresses numerous comments, mostly (but not always)
> editorial, by Francesca and Paul W.
>
> As a reminder, the document is in IETF LC until May 30.
>
> Thanks,
> Yaron
>
>
> On 5/27/22, 00:22, "uta-boun...@ietf.org on behalf of
> internet-dra...@ietf.org" <uta-boun...@ietf.org on behalf of
> internet-dra...@ietf.org> wrote:
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Using TLS in Applications WG of
> the IETF.
>
> Title : Recommendations for Secure Use of
> Transport Layer Security (TLS) and Datagram Transport Layer Security
> (DTLS)
> Authors : Yaron Sheffer
> Peter Saint-Andre
> Thomas Fossati
> Filename : draft-ietf-uta-rfc7525bis-07.txt
> Pages : 39
> Date : 2022-05-26
>
> Abstract:
> Transport Layer Security (TLS) and Datagram Transport Layer
Security
> (DTLS) are widely used to protect data exchanged over application
> protocols such as HTTP, SMTP, IMAP, POP, SIP, and XMPP. Over the
> years, the industry has witnessed several serious attacks on TLS
and
> DTLS, including attacks on the most commonly used cipher suites and
> their modes of operation. This document provides the latest
> recommendations for ensuring the security of deployed services that
> use TLS and DTLS. These recommendations are applicable to the
> majority of use cases.
>
> An earlier version of this document was published as RFC 7525 when
> the industry was in the midst of its transition to TLS 1.2. Years
> later this transition is largely complete and TLS 1.3 is widely
> available. This document updates the guidance given the new
> environment and obsoletes RFC 7525. In addition, the document
> updates RFC 5288 and RFC 6066 in view of recent attacks.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-uta-rfc7525bis/
>
> There is also an HTML version available at:
> https://www.ietf.org/archive/id/draft-ietf-uta-rfc7525bis-07.html
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-uta-rfc7525bis-07
>
>
> Internet-Drafts are also available by rsync at
> rsync.ietf.org::internet-drafts
>
>
> _______________________________________________
> Uta mailing list
> Uta@ietf.org
> https://www.ietf.org/mailman/listinfo/uta
>
>
> _______________________________________________
> Uta mailing list
> Uta@ietf.org
> https://www.ietf.org/mailman/listinfo/uta
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
