On Tue, Sep 19, 2023 at 07:25:51AM -0400, Chris Lonvick wrote: > I think that the changes to Sections 4 and 5 should be limited to > replacing "MUST NOT" with "SHOULD NOT". That will provide clear > guidance for implementers. > > I was then thinking of changing the Security Considerations section to the > following: > ---vvv--- > 10. Security Considerations > > [BCP195] deprecates an insecure DTLS transport protocol from > [RFC6012] and deprecates insecure cipher suits from [RFC5425] and > [RFC6012]. This document specifies mandatory to implement cipher > suites to those RFCs and the latest version of the DTLS protocol to > [RFC6012].
The above reads a bit clumsy, perhaps something along the lines of: OLD: This document specifies mandatory to implement cipher suites to those RFCs and the latest version of the DTLS protocol to [RFC6012]. NEW: This document updates the mandatory to implement cipher suites to conform with those RFCs and the latest version of the DTLS protocol [RFC6012]. > The insecure cipher suites SHOULD NOT be offered. If a device > currently only has an insecure cipher suite, an administrator of the > network should evaluate the conditions and determine if the insecure > cipher suite should be allowed so that syslog messages may continue > to be delivered until the device is updated to have a secure cipher > suite. > ---^^^--- > > Please comment and suggest any further edits for WG review. Module word-smithing, this is generally acceptable. Prohibition of the weaker code points, rather than promotion of their replacements isn't [RFC7435] my most preferred approach to improving security, but it'll have to do when consensus that raising the ceiling will suffice is not within reach. Thanks for taking my comments into consideration. -- Viktor. _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta