On Tue, Sep 19, 2023 at 07:25:51AM -0400, Chris Lonvick wrote:
> I think that the changes to Sections 4 and 5 should be limited to
> replacing "MUST NOT" with "SHOULD NOT". That will provide clear
> guidance for implementers.
>
> I was then thinking of changing the Security Considerations section to the
> following:
> ---vvv---
> 10. Security Considerations
>
> [BCP195] deprecates an insecure DTLS transport protocol from
> [RFC6012] and deprecates insecure cipher suits from [RFC5425] and
> [RFC6012]. This document specifies mandatory to implement cipher
> suites to those RFCs and the latest version of the DTLS protocol to
> [RFC6012].
The above reads a bit clumsy, perhaps something along the lines of:
OLD: This document specifies mandatory to implement cipher
suites to those RFCs and the latest version of the DTLS
protocol to [RFC6012].
NEW: This document updates the mandatory to implement cipher
suites to conform with those RFCs and the latest version
of the DTLS protocol [RFC6012].
> The insecure cipher suites SHOULD NOT be offered. If a device
> currently only has an insecure cipher suite, an administrator of the
> network should evaluate the conditions and determine if the insecure
> cipher suite should be allowed so that syslog messages may continue
> to be delivered until the device is updated to have a secure cipher
> suite.
> ---^^^---
>
> Please comment and suggest any further edits for WG review.
Module word-smithing, this is generally acceptable. Prohibition of the
weaker code points, rather than promotion of their replacements isn't
[RFC7435] my most preferred approach to improving security, but it'll
have to do when consensus that raising the ceiling will suffice is not
within reach. Thanks for taking my comments into consideration.
--
Viktor.
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
