IANA Registry Updates for TLS and DTLS
draft-ietf-tls-iana-registry-updates-05

Note: This ballot was opened for revision 04 and is now closed.

(Ben Campbell) Yes

(Spencer Dawkins) Yes

Benjamin Kaduk Yes

Comment (2018-03-28 for -04)
No email
send info
Section 15, TLS Certificate Types, needs to list the values that are
now spec required (3-223) and those that remain for private use
(224-255), I think.

The Orphaned Registries section has a note added to the HashAlgorithm
and SignatureAlgorithm registries about crypto potentially being bad,
that mentions cipher suites instead of hash and signature algorithms.

(Terry Manderson) Yes

(Eric Rescorla) Yes

Comment (2018-03-31 for -04)
No email
send info
 requires standards action.  Not all parameters defined in standards
   track documents need to be marked as recommended.
It might be useful to capitalize Recommended here.



   been through the IETF consensus process, has limited applicability,
   or is intended only for specific use cases.
I think technically it has "Recommended = No"



   Note:  Supported Groups marked as "Yes" are those allocated via
      Standards Track RFCs.  Supported Groups marked as "No" are not;
      supported groups marked "No" range from "good" to "bad" from a
This may need a revision because some have not been allocated that way.



      thus requiring a new construction.  The exporter interface remains
      the same, however the value is computed different.
differently.

Adam Roach Yes

Comment (2018-04-03 for -04)
No email
send info
Thanks for the work everyone put in on this document. I have a handful of
comments, ranging from nits to minor issues. They appear in document order.

---------------------------------------------------------------------------

Title:

Please expand "TLS" and "DTLS" in the title. See
https://www.rfc-editor.org/materials/abbrev.expansion.txt for guidance.

---------------------------------------------------------------------------

Abstract:

Please include the list of updated RFCs in the abstract. See
https://www.ietf.org/standards/ids/checklist/ §3.1.D. The current formulation
of "This document updates many (D)TLS RFCs (see updates header)" is problematic
due to the factors described in the final paragraph of RFC 7322 §4.3.

---------------------------------------------------------------------------

§2:

>  Instead of listing the changes and their rationale in this,
>  the introductory, section each section provides rationale for the
>  proposed change(s).

There's something awkward with the commas here. Perhaps you mean:

>  Instead of listing the changes and their rationale in this,
>  the introductory section, each section provides rationale for the
>  proposed change(s).

---------------------------------------------------------------------------

§8:

This section doesn't indicate anything about the disposition of
"token_binding," which is due to (potentially) expire in 11 months. Given that
the temporary property of this registration is due only to the previous policy
that this document is obsoleting, it seems that this document should instruct
IANA to remove the temporary status from the "token_binding" TLS ExtensionType.

---------------------------------------------------------------------------

§8:

The table that adds a "Recommended" column to the TLS ExtensionType does not
indicate values for "token_binding" or "cached_info." I suggest either adding
them, or adding text to explain their omission.

---------------------------------------------------------------------------

§9:

>  assigned via Specification Required {{RFC8126}}.  Values with the
>  first byte 255 (decimal) are reserved for Private Use {{RFC8126}}.

Nit: the "{{...}}" citation style is probably not what you intended.

---------------------------------------------------------------------------

§13:

>  o  A "Recommended" column to the TLS Exporter Label registry.  The
>     table that follows has been generated by marking Standards Track
>     RFCs as "Yes" and all others as "No".

No rows are marked "No." Presumably, the text above should instead say "any
values not indicated in the table below [will be/have been] marked 'No'"

---------------------------------------------------------------------------

§14:

>  120   no_application_protocol  Y  [RFC7301]

Every other updated table is amended to also point to this document. I presume
that omitting it from this entry is an oversight, and that it should instead be:

>  120   no_application_protocol  Y  [RFC7301] [RFCthis]

---------------------------------------------------------------------------

§17:

>  o  [SHALL update/has updated] the TLS HashAlgorithm Registry to list
>     values 7-223 as "Reserved" and the TLS SignatureAlgorithm registry
>     to list values 4-223 as "Reserved".

HashAlgorithm 8 is already assigned, as are SignatureAlgorithms 7 and 8.
Presumably the reserved ranges should be "7 and 9-223" and "4-6 and 9-223",
respectively.

---------------------------------------------------------------------------

§17:

>  Despite the fact that the HashAlgorithm and SignatureAlgorithm
>  registries are orphaned, it is still import to warn implementers of

nit: "important"

>  pre-TLS1.3 implementations about the dangers of blinding implementing

nit: "blindly"

Ignas Bagdonas No Objection

Comment (2018-04-04 for -04)
No email
send info
s/aligment/alignment
s/prviate/private

Deborah Brungard No Objection

Alissa Cooper No Objection

Suresh Krishnan No Objection

Warren Kumari No Objection

Comment (2018-04-02 for -04)
No email
send info
I'd suggest that the authors review the OpsDir review: https://datatracker.ietf.org/doc/review-ietf-tls-iana-registry-updates-04-opsdir-lc-romascanu-2018-02-20/

I especially agree with #1 ("It would be useful from an operator perspective to add to the registries where the Recommended column is added a text similar to the one in Section 6,...")

I'm guessing it is not needed, but should there be a note to the RFC editor to fix the "IANA [SHALL prepend/has prepended]..." bit to "IANA has prepended..." throughout? 'tis probably obvious enough, but I figured worth asking.

The Nits Checker grumps about missing Updates in the Abstract -- I was getting ready to fuss about this, and then found "This document updates many (D)TLS RFCs (see updates header)." - this seems like a fine hack to me.

Mirja Kühlewind No Objection

Comment (2018-03-29 for -04)
No email
send info
1) Section 18: "However, to allow for the allocation of values prior to publication,
   the Designated Experts may approve registration once they are
   satisfied that such a specification will be published."
This sounds like it's simply the early allocation process (rfc7120). Maybe it's useful to name it like this to avoid confusion.

2) Also section 18: "IANA [...] SHOULD direct all requests for registration to the review mailing list."
Why is this not a MUST?

Alexey Melnikov No Objection

Comment (2018-04-03 for -04)
No email
send info
I support the idea behind this document. I have a few minor issues which I would like to discuss before recommending its approval:

1) In several places:

"IESG action is REQUIRED for a Yes->No transition."

Firstly, this should be "IESG Approval", not "IESG action" (according to RFC 8126).

Secondly, are you saying that this is the ONLY way to transition from Yes to No? Surely, Standards Action should also be allowed in case there is no rush? Besides IESG is likely to prefer a document explaining the transition anyway.

2) In Section 15: 

15.  TLS Certificate Types

   Experience has shown that the IETF Consensus registry policy for TLS
   Certificate Types is too strict.  Based on WG consensus, the decision
   was taken to change registration policy to Specification Required
   [RFC8126] while reserving a small part of the code space for
   experimental and private use.  Therefore, IANA [SHALL add/has added]
   a "Recommended" column to the registry.  X.509 and Raw Public Key are
   "Yes".  All others are "No".  In order to register an extension with
   the value "Yes", a Standards Track document [RFC8126] is REQUIRED.


The above sentence.

   Future Certificate Types MUST define the value of this column.  A
   Standards Track document [RFC8126] is REQUIRED to register an entry
   with the value "Yes". 

And this is just repeating the above sentence in a different way.

   IESG action is REQUIRED for a Yes->No
   transition.

3) In Section 17:

   Despite the fact that the HashAlgorithm and SignatureAlgorithm
   registries are orphaned, it is still import to warn implementers of

import --> important

   pre-TLS1.3 implementations about the dangers of blinding implementing

blinding --> blindly

   cryptographic algorithms.

And later in the same section:

   WARNING:  Cryptographic algorithms and parameters will be broken or
      weakened over time.  Blindly implementing cipher suites listed

cipher suites --> hash functions/signatures?

      here is not advised.  Implementers and users need to check that
      the cryptographic algorithms listed continue to provide the
      expected level of security.

Martin Vigoureux No Objection