Ballot for draft-ietf-tls-deprecate-obsolete-kex
Discuss
Yes
No Objection
Summary: Has 2 DISCUSSes. Has enough positions to pass once DISCUSS positions are resolved.
Thank you for making this document and the detailed research that likely underpins this proposed update to many RFCs. I am very supportive of this work, however, as this proceeds I have some things that I’d like to see clarified. I would have just passed comments to the editors, but I am not entirely sure how a reader of this document is to now interpret the set of published RFCs I think readers (who may have even less experience than me) ought to clearly understand what has changed. ## DISCUSS 1: I am unsure what is actually required to be updated in the list of RFCs in para 1. I see sentences like: “This includes all cipher suites listed in the table in Appendix A.” My question is what does “includes” mean here? Could this be as simple as a statement something like: “This updates the set of RFCs listed in this document in XXX to deprecate the use of non-ephemeral FFDH cipher suites in (D)TLS 1.2 connections.” Or is there more needed? ## DISCUSS 2: If there is a change to clarify the update would it be possible to make a similar change for all other statements in paras 2,3, and sections 3 and 4. (See Med’s DISCUSS of how this can reflected in some of the specific IANA registries). ## DISCUSS 3: I see this updates a BCP, RFC9325, but I am unsure in what way this is formally updated. I see the text: “ [RFC9325] contains the latest IETF recommendations for users of the (D)TLS protocol (and specifically, (D)TLS 1.2) and this document supersedes it in several points.” - I was expecting text in a section of the document that specifically stated what sections/text was to be changed in that document, but I could not work that out for certain, and hence this list of points is not clear. Can these changes to RFC9325 be made explicit in this specific I-D? I have raised these as DISCUSS items, because I could not clearly understand the intention of the requested changes to the published RFCs. I expect this to be very easy to resolve some way, but would like to understand how. I plan to clear my discuss with support for this document. Best, Gorry.
I see the lists of RFCs to be updated have been placed in appendices. I would have expected these to appear in subsections within the body of the published RFC - reasoning that this is not supplementary material, but is the core contribution. However, if that style is acceptable for this WG, then that would of course be fine for me also. My comment is that I would strongly encourage that each appendix add a sentence or a change to the title that explains that is the normative list of RFCs to be changed.
Hi Nimrod, Thank you for the effort put into this document. Thanks to Menachem for the OPSDIR review. Maybe I wasn’t looking at the right places, but it is unfortunate the absence of follow-ups with directorate reviews (part of IETF LC). I’m supportive of the maintenance effort made here. However, I think a discussion on known (or lack of) uses of the schemes (if any) and associated operational implications is worth to be documented. # Update a BCP CURRENT: [RFC9325] contains the latest IETF recommendations for users of the (D)TLS protocol (and specifically, (D)TLS 1.2) and this document supersedes it in several points. Appendix F details the exact differences. All other recommendations of the BCP document remain valid. … +============================+=============+============+ | | RFC 9325 | RFC XXX | +============================+=============+============+ | Non-ephemeral FFDH | SHOULD NOT | MUST NOT | +----------------------------+-------------+------------+ | Non-ephemeral ECDH | SHOULD NOT | No change | +----------------------------+-------------+------------+ | Fixed DH certificate types | Unspecified | SHOULD NOT | +----------------------------+-------------+------------+ | Ephemeral FFDH | SHOULD NOT | MUST NOT | +----------------------------+-------------+------------+ | Static RSA | SHOULD NOT | MUST NOT | +----------------------------+-------------+------------+ ## Is this document the right place to update a BCP? ## Rather than approaching this with the items discussed in this specific document, wouldn’t be sustainable to make a short update to RFC9325 that basically says: "Any scheme that is marked as Deprecated in the authoritative registry MUST NOT be offered/used"? ## Why are we listing ECDH in a table that is supposed to list changes? ## Why are we repeating recommendations that are already in RFC9325? CURRENT: Clients SHOULD NOT offer and servers SHOULD NOT select non-ephemeral ECDH cipher suites in (D)TLS 1.2 connections. ## Overlapping/interference with 9325 CURRENT: Therefore, clients and servers MAY offer FFDHE cipher suites in (D)TLS 1.3 connections. To what extent is this redundant with the considerations already in RFC9325? More importantly, the risk I see with isolating this recommendation is that we decouple it from other recommendations that impose some constraints on their use: (Section 7.4 of RFC9325) * TLS implementations SHOULD NOT use static finite-field DH keys and SHOULD NOT reuse ephemeral finite-field DH keys across multiple connections.
# Lack of Operational Considerations Valery (artart review) raised a valid point that I’m grabbing from his review: “1. Perhaps some text should be added about potential interoperability problems (or, as we hope, the lack of such) caused by deprecation of the mentioned key exchnage methods. If this could be backed up by some figures from real word, it would be great.” # RFC9325, Again * “[RFC9325] contains the latest IETF recommendations” won’t age well. However, “[BCP195] contains the latest IETF recommendations” is likely to be valid independent of future revisions of RFC9325.) * I don’t quite understand why normative changes are listed in an appendix: “Appendix F. Updating RFC 9325” # IANA Actions ## Please indicate where to find the registry OLD: This document requests IANA to mark the cipher suites from the "TLS Cipher Suites" registry listed in Appendix A, Appendix B, Appendix C, NEW: This document requests IANA to mark the cipher suites from the "TLS Cipher Suites" registry, under “Transport Layer Security (TLS) Parameters” registry group, listed in Appendix A, Appendix B, Appendix C, ## nit s/ refer to the this document/refer to this document # Appendix A. DH Cipher Suites Deprecated by This Document Can we use the format used in the IANA registry? Or at least, if we want to keep this consistent with the registry, can we please be explicit that we are asking for “recommended” to be set to “D” for these entries? # Appendix B. ECDH Cipher Suites Whose Use Is Discouraged by This Document These are already marked as “N” in the registry. What concrete changes will be captured in the registry? Please clarify. Cheers, Med
I have no objection to the publication of this document as an RFC. Many thanks to Valery Smyslov for the ARTART review.
Thanks to Dan Harkins for their secdir review.
Thanks for this write-up. I only have two minor observations: 1) Some messages are seen when idnits are checked. 2) potentially add s/Diffie-Helman/Diffie-Hellman (DH)/ so it is clear at first instance that DH = Diffie-Hellman. I realize that a single further the abbreviation ECDH is used and maybe the WG finds that correlation good enough? Thanks, G/
Thanks for the work put into this document for updating the recommendations for (D)TLS 1.2. I support the DISCUSS positions from Gorry and Med. While the IANA registries would provide the recommendations for implementers, I am not sure if it does provide the proper view for (D)TLS 1.2. My concern is whether this document is easy to consume for the target audience. However, I am not a SEC expert and not conversant with the way these recommendations are being maintained.
Thanks to Menachem Dodge for the OPSDIR review. I also support the DISCUSS positions put forth by Gorry Fairhurst and Mohamed Boucadair.
I don't see that this document explicitly states the updates made to RFCs 4346, 5246, 4162, 6347, 5932, 5288, 6209, 6367, 8422, 5289, 5469, 4785, 4279, 5487, 6655, and 7905 "to remediate the above problems." Presumably the cipher suites in question are removed from some list or requirements on acceptable cipher suites are amended; please state the changes explicitly. ===NITS FOLLOW=== - Section 5, s/registry/registry/
Thanks to Valery Smyslov for the ARTART review.
Thank you to Mallory Knodel for the GENART. I support the DISCUSS positions of Gorry Fairhurst and Mohamed Boucadair.
Thanks for the work done in this document, even if, like Gorry, I am little puzzled by the form of this RFC (notably because there is no per-RFC specific update sections). As draft-ietf-tls-rfc8447bis will soon be published, wouldn't it be easier to just update the IANA registries ? I.e., perhaps not updating RFCs ?