IANA Registry Updates for TLS and DTLS
draft-ietf-tls-iana-registry-updates-05
Yes
(Ben Campbell)
(Spencer Dawkins)
(Terry Manderson)
No Objection
(Alissa Cooper)
(Deborah Brungard)
(Martin Vigoureux)
(Suresh Krishnan)
Note: This ballot was opened for revision 04 and is now closed.
Adam Roach Former IESG member
Yes
Yes
(2018-04-03 for -04)
Unknown
Thanks for the work everyone put in on this document. I have a handful of comments, ranging from nits to minor issues. They appear in document order. --------------------------------------------------------------------------- Title: Please expand "TLS" and "DTLS" in the title. See https://www.rfc-editor.org/materials/abbrev.expansion.txt for guidance. --------------------------------------------------------------------------- Abstract: Please include the list of updated RFCs in the abstract. See https://www.ietf.org/standards/ids/checklist/ §3.1.D. The current formulation of "This document updates many (D)TLS RFCs (see updates header)" is problematic due to the factors described in the final paragraph of RFC 7322 §4.3. --------------------------------------------------------------------------- §2: > Instead of listing the changes and their rationale in this, > the introductory, section each section provides rationale for the > proposed change(s). There's something awkward with the commas here. Perhaps you mean: > Instead of listing the changes and their rationale in this, > the introductory section, each section provides rationale for the > proposed change(s). --------------------------------------------------------------------------- §8: This section doesn't indicate anything about the disposition of "token_binding," which is due to (potentially) expire in 11 months. Given that the temporary property of this registration is due only to the previous policy that this document is obsoleting, it seems that this document should instruct IANA to remove the temporary status from the "token_binding" TLS ExtensionType. --------------------------------------------------------------------------- §8: The table that adds a "Recommended" column to the TLS ExtensionType does not indicate values for "token_binding" or "cached_info." I suggest either adding them, or adding text to explain their omission. --------------------------------------------------------------------------- §9: > assigned via Specification Required {{RFC8126}}. Values with the > first byte 255 (decimal) are reserved for Private Use {{RFC8126}}. Nit: the "{{...}}" citation style is probably not what you intended. --------------------------------------------------------------------------- §13: > o A "Recommended" column to the TLS Exporter Label registry. The > table that follows has been generated by marking Standards Track > RFCs as "Yes" and all others as "No". No rows are marked "No." Presumably, the text above should instead say "any values not indicated in the table below [will be/have been] marked 'No'" --------------------------------------------------------------------------- §14: > 120 no_application_protocol Y [RFC7301] Every other updated table is amended to also point to this document. I presume that omitting it from this entry is an oversight, and that it should instead be: > 120 no_application_protocol Y [RFC7301] [RFCthis] --------------------------------------------------------------------------- §17: > o [SHALL update/has updated] the TLS HashAlgorithm Registry to list > values 7-223 as "Reserved" and the TLS SignatureAlgorithm registry > to list values 4-223 as "Reserved". HashAlgorithm 8 is already assigned, as are SignatureAlgorithms 7 and 8. Presumably the reserved ranges should be "7 and 9-223" and "4-6 and 9-223", respectively. --------------------------------------------------------------------------- §17: > Despite the fact that the HashAlgorithm and SignatureAlgorithm > registries are orphaned, it is still import to warn implementers of nit: "important" > pre-TLS1.3 implementations about the dangers of blinding implementing nit: "blindly"
Ben Campbell Former IESG member
Yes
Yes
(for -04)
Unknown
Benjamin Kaduk Former IESG member
Yes
Yes
(2018-03-28 for -04)
Unknown
Section 15, TLS Certificate Types, needs to list the values that are now spec required (3-223) and those that remain for private use (224-255), I think. The Orphaned Registries section has a note added to the HashAlgorithm and SignatureAlgorithm registries about crypto potentially being bad, that mentions cipher suites instead of hash and signature algorithms.
Eric Rescorla Former IESG member
Yes
Yes
(2018-03-31 for -04)
Unknown
requires standards action. Not all parameters defined in standards
track documents need to be marked as recommended.
It might be useful to capitalize Recommended here.
been through the IETF consensus process, has limited applicability,
or is intended only for specific use cases.
I think technically it has "Recommended = No"
Note: Supported Groups marked as "Yes" are those allocated via
Standards Track RFCs. Supported Groups marked as "No" are not;
supported groups marked "No" range from "good" to "bad" from a
This may need a revision because some have not been allocated that way.
thus requiring a new construction. The exporter interface remains
the same, however the value is computed different.
differently.
Spencer Dawkins Former IESG member
Yes
Yes
(for -04)
Unknown
Terry Manderson Former IESG member
Yes
Yes
(for -04)
Unknown
Alexey Melnikov Former IESG member
No Objection
No Objection
(2018-04-03 for -04)
Unknown
I support the idea behind this document. I have a few minor issues which I would like to discuss before recommending its approval: 1) In several places: "IESG action is REQUIRED for a Yes->No transition." Firstly, this should be "IESG Approval", not "IESG action" (according to RFC 8126). Secondly, are you saying that this is the ONLY way to transition from Yes to No? Surely, Standards Action should also be allowed in case there is no rush? Besides IESG is likely to prefer a document explaining the transition anyway. 2) In Section 15: 15. TLS Certificate Types Experience has shown that the IETF Consensus registry policy for TLS Certificate Types is too strict. Based on WG consensus, the decision was taken to change registration policy to Specification Required [RFC8126] while reserving a small part of the code space for experimental and private use. Therefore, IANA [SHALL add/has added] a "Recommended" column to the registry. X.509 and Raw Public Key are "Yes". All others are "No". In order to register an extension with the value "Yes", a Standards Track document [RFC8126] is REQUIRED. The above sentence. Future Certificate Types MUST define the value of this column. A Standards Track document [RFC8126] is REQUIRED to register an entry with the value "Yes". And this is just repeating the above sentence in a different way. IESG action is REQUIRED for a Yes->No transition. 3) In Section 17: Despite the fact that the HashAlgorithm and SignatureAlgorithm registries are orphaned, it is still import to warn implementers of import --> important pre-TLS1.3 implementations about the dangers of blinding implementing blinding --> blindly cryptographic algorithms. And later in the same section: WARNING: Cryptographic algorithms and parameters will be broken or weakened over time. Blindly implementing cipher suites listed cipher suites --> hash functions/signatures? here is not advised. Implementers and users need to check that the cryptographic algorithms listed continue to provide the expected level of security.
Alissa Cooper Former IESG member
No Objection
No Objection
(for -04)
Unknown
Deborah Brungard Former IESG member
No Objection
No Objection
(for -04)
Unknown
Ignas Bagdonas Former IESG member
No Objection
No Objection
(2018-04-04 for -04)
Unknown
s/aligment/alignment s/prviate/private
Martin Vigoureux Former IESG member
No Objection
No Objection
(for -04)
Unknown
Mirja Kühlewind Former IESG member
No Objection
No Objection
(2018-03-29 for -04)
Unknown
1) Section 18: "However, to allow for the allocation of values prior to publication, the Designated Experts may approve registration once they are satisfied that such a specification will be published." This sounds like it's simply the early allocation process (rfc7120). Maybe it's useful to name it like this to avoid confusion. 2) Also section 18: "IANA [...] SHOULD direct all requests for registration to the review mailing list." Why is this not a MUST?
Suresh Krishnan Former IESG member
No Objection
No Objection
(for -04)
Unknown
Warren Kumari Former IESG member
No Objection
No Objection
(2018-04-02 for -04)
Unknown
I'd suggest that the authors review the OpsDir review: https://datatracker.ietf.org/doc/review-ietf-tls-iana-registry-updates-04-opsdir-lc-romascanu-2018-02-20/ I especially agree with #1 ("It would be useful from an operator perspective to add to the registries where the Recommended column is added a text similar to the one in Section 6,...") I'm guessing it is not needed, but should there be a note to the RFC editor to fix the "IANA [SHALL prepend/has prepended]..." bit to "IANA has prepended..." throughout? 'tis probably obvious enough, but I figured worth asking. The Nits Checker grumps about missing Updates in the Abstract -- I was getting ready to fuss about this, and then found "This document updates many (D)TLS RFCs (see updates header)." - this seems like a fine hack to me.