Using Transport Layer Security (TLS) with Network News Transfer Protocol (NNTP)
draft-elie-nntp-tls-recommendations-05

Note: This ballot was opened for revision 04 and is now closed.

Alvaro Retana No Objection

(Alexey Melnikov; former steering group member) Yes

(Ben Campbell; former steering group member) Yes

I'm balloting YES, but I have a few comments:

Substantive:

-2, 4th bullet: The normative requirement to support SNI is stated 3 times, with a inconsistent requirements. The first sentence says all implementations must support SNI. The next says all clients and servers that can have multiple names must support it.  Section 3.3 says that all new clients and any server with multiple names must support it.

-3.4: The section says all implementations are encouraged to follow the recommendations in section 3.2 of 7525. But section 3 said all implementations are REQUIRED to follow the recommendations in 7525 (which I assume to include section 3.2).

- 3.6: Do people expect end users to be able to do anything useful with information like TLS version,certificate details, and  cyphersuite choices?

- 6.2: RFCs 4433, 4643, 5536, and 5537 should probably be normative references, since they are referred to using 2119 keywords.

Editorial:

- Q1: I believe the preference is to use the BCP number.

-2, 2nd bullet: The last sentence is convoluted--can it be broken into simpler sentences?

-2, third bullet: Missing article ("the") before RC4. Also, I suspect the REQUIRED should not be capitalized. It seems like a statement of fact.

-2, 4th bullet: "only a SHOULD": "SHOULD" should be in quotes.

-3.1: Please expand "CRIME"

-4, 2nd paragraph, first sentence: Missing world around "need ensure"

(Kathleen Moriarty; former steering group member) Yes

(Spencer Dawkins; former steering group member) Yes

(Stephen Farrell; former steering group member) Yes

- write up: did "[[confirm]]" happen? Just curious.

- 3.5, 2nd last para: A reference to RFC7435 might 
be useful here.  Not needed, just useful.

(Alia Atlas; former steering group member) No Objection

(Alissa Cooper; former steering group member) No Objection

(Deborah Brungard; former steering group member) No Objection

(Jari Arkko; former steering group member) No Objection

(Joel Jaeggli; former steering group member) No Objection

the changes between 03 and 04 I think adequately explain the changes that are happening to  4642 thanks for that.

(Mirja Kühlewind; former steering group member) No Objection

- Should section 3.6. maybe also talk about displaying to the user if content was encrypted but not authenticated?

- Nit: in section 4. (Security Considerations):

OLD:

„Beyond the security considerations already described in [RFC4642],
   [RFC6125] and [RFC7525], the author wishes to add the following
   caveat when not using implicit TLS.

   NNTP servers need ensure that […]“
NEW:
„Beyond the security considerations already described in [RFC4642],
   [RFC6125] and [RFC7525], NNTP servers need to ensure that […]“

(Suresh Krishnan; former steering group member) No Objection

(Terry Manderson; former steering group member) No Objection