The Transport Layer Security (TLS) Protocol Version 1.2
draft-ietf-tls-rfc4346-bis-10

[Ballot comment]
As this is a critical IETF standard for application protocols, I have
reviewed it in depth.  While the protocol is more complex then I might
wish, it takes an appropriate compromise between the necessary hash
agility to future-proof TLS, backwards compatibility with previous TLS
versions and simplicity.  I consider this revision an important and
necessary step forward for TLS.

I am aware of TLS interoperability problems with wildcard server
certificates and client certificates used by application protocols.
This specification chooses to avoid all issues of application use of
TLS.  After a discussion with Ekr, I believe this is best addressed by
an "application use of TLS" BCP rather than delaying this document.

I have a number of minor comments and it is my belief a revision of the
document addressing some or all of my comments would improve the
document's value sufficiently to merit the delay.  I don't consider any
of these discuss-level blocking comments, however.

Section 4.7:

The acronym "DER" is first used in the context of a normative reference
to RFC 3447 (PKCS#1).  However, RFC 3447 does not define nor provide a
direct reference to either DER or ASN.1, although those are normative to
implementing this portion of TLS (given the "MUST").  I suggest adding
normative references to ASN.1/DER and/or expanding the "DER" acronym on
first use.  A previous RFC that normatively referenced RFC 3447 was RFC
4556 and it included the following normative references:

  [X680]    ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002,
              Information technology - Abstract Syntax Notation One
              (ASN.1): Specification of basic notation.

  [X690]    ITU-T Recommendation X.690 (2002) | ISO/IEC 8825-1:2002,
              Information technology - ASN.1 encoding Rules: Specification
              of Basic Encoding Rules (BER), Canonical Encoding Rules
              (CER) and Distinguished Encoding Rules (DER).

Section 6.2.2:

While RFC 3749 (TLS Compression) is referenced from the IANA
considerations section, it would also be helpful to implementers to
reference it from the compression section 6.2.2.  It's fine as an
informative reference.

Section 6.2.3.1, last paragraph, last sentence:

This sentence:
>  TLSCiphertext.length is TLSCompressed.length plus
>  SecurityParameters.mac_length.
doesn't have a clear context (it's not clear if it refers to the null
cipher, stream cipher, both or all ciphers).  I suggest clairifying this
similar to the equivalent statement in the next section:
  The null or stream cipher length (TLSCiphertext.length) is
  TLSCompressed.length plus SecurityParameters.mac_length.

Section 7.4.1.2, page 40 "session_id":
>      The ID of a session the client wishes to use for this connection.
>      This field is empty if no session_id is available, or it the
s/it/if/

Section 7.4.1.2, page 40 "extensions":
>      Clients MAY request extended functionality from servers by sending
>      data in the extensions Here the new "extensions" field contains a
>      list of extensions.
This needs rewording.

Section 7.4.1.3, "session_id" last sentence:
>      session_id. Client MUST be prepared to do a full negotiation --
s/Client/Clients/

Section 7.4.1.4:
>          signature_algorithms(TBD-BY-IANA), (65535)
I suggest an explicit note to RFC editor to make sure this occurrance of
TBD-BY-IANA is changed to the registered number.  Alternatively, the
text in section 12 should specifically mention this item in this section
needs to be replaced by the registered number.

Section 7.4.1.4.1, "signature":
>      This field indicates the signature algorithm which may be used.
>      The values indicate anonymous signatures, RSASSA-PKCS1-v1_5
>      [PKCS1] and DSA [DSS] respectively.
This sentence is missing a reference for ECDSA.

Section 7.4.1.4.1:
>  cipher suite indicates permissible signature algorithms but not hash
>  algorithm. Sections 7.4.2 and 7.4.3 describe the appropriate rules.
s/algorithm/algorithms/

Section 7.4.2, "certificate_list":
>      certificate authority MAY optionally be omitted from the chain,
s/MAY optionally/MAY/
("MAY optionally" is redundant as "MAY" implies the behavior is optional)

Section 7.4.2:
>      ECDHE_RSA          allow the key to be used for signing
It would be helpful to mention this cipher suite is defined in [TLSECC]
here.

Section 7.4.2:
>  extension.  The naming is historical.
I'm not sure which "naming" is referred to by this sentence.  Perhaps
clarification is needed?

Section 7.4.3:
>        DHE_DSS
>        DHE_RSA
>        DH_anon
This is also true for "ECDHE_RSA", "ECDHE_DSS", "ECDH_anon" I believe.
While I know those cipher suites are defined in RFC 4492 rather than
here, it's confusing to have them discussed in the previous section and
suddenly missing in this section.  Either say explicitly you're omitting
them from this section or include them in this discussion.

Section 7.4.8:
>      permitted hash algorith, subject to restrictions in the
s/algorith/algorithm/

Section A.7:
>  to be used and digest algorithms other than SHA-1, provided such use
s/and/with/

Section E.1:
>  remains compatible, and the client support the highest protocol
s/support/supports/
...
>  A TLS server can also receive a ClientHello containing version number
s/containing version/containing a version/

Informative References:

The XDR reference should mention it is STD 67:
  [XDR]    Eisler, M., "External Data Representation Standard", STD
            67, RFC 4506, May 2006.

[Ballot comment]
> a SHOULD, with sending it a SHOULD not. Support will probably

s/SHOULD not/SHOULD NOT/

Section 1.2 does not list the change that unnegotiated extensions now result in a fatal alert, not silently dropping the message. (Section 6)

> This document
> describes TLS Version 1.2, which uses the version { 3, 3 }. The
> version value 3.3 is historical, deriving from the use of 3.1 for
> TLS 1.0. (See Appendix A.1).

This was somewhat confusing, because I do not know when you are talking
of values for the "version" field and when you are talking about the
version numbers associated with a particular TLS RFC. I think you
want to say:

  This document
  describes TLS Version 1.2, which uses the version { 3, 3 }. The
  version value { 3, 3 } is historical, deriving from the use of { 3, 1 }
  for TLS 1.0. (See Appendix A.1).

By the way, differences from RFC 4346 are easily seen in
http://tools.ietf.org/rfcdiff?url1=http://www.ietf.org/rfc/rfc4346.txt&url2=http://tools.ietf.org/id/draft-ietf-tls-rfc4346-bis-09.txt

[Ballot comment]
> a SHOULD, with sending it a SHOULD not. Support will probably

s/SHOULD not/SHOULD NOT/

Section 1.2 does not list the change that unnegotiated extensions now result in a fatal alert, not silently dropping the message. (Section 6)

> This document
> describes TLS Version 1.2, which uses the version { 3, 3 }. The
> version value 3.3 is historical, deriving from the use of 3.1 for
> TLS 1.0. (See Appendix A.1).

This was somewhat confusing. I think you want to say:

  This document
  describes TLS Version 1.2, which uses the version { 3, 3 }. The
  version value { 3, 3 } is historical, deriving from the use of { 3, 3 }
  for TLS 1.0. (See Appendix A.1).

By the way, differences from RFC 4346 are easily seen in
http://tools.ietf.org/rfcdiff?url1=http://www.ietf.org/rfc/rfc4346.txt&url2=http://tools.ietf.org/id/draft-ietf-tls-rfc4346-bis-09.txt

[Ballot comment]
> a SHOULD, with sending it a SHOULD not. Support will probably

s/SHOULD not/SHOULD NOT/

Section 1.2 does not list the change that unnegotiated extensions now result in an alert, not silently dropping the message. (Section 6)

> This document
> describes TLS Version 1.2, which uses the version { 3, 3 }. The
> version value 3.3 is historical, deriving from the use of 3.1 for
> TLS 1.0. (See Appendix A.1).

This was somewhat confusing. I think you want to say:

  This document
  describes TLS Version 1.2, which uses the version { 3, 3 }. The
  version value { 3, 3 } is historical, deriving from the use of { 3, 3 }
  for TLS 1.0. (See Appendix A.1).

By the way, differences from RFC 4346 are easily seen in
http://tools.ietf.org/rfcdiff?url1=http://www.ietf.org/rfc/rfc4346.txt&url2=http://tools.ietf.org/id/draft-ietf-tls-rfc4346-bis-09.txt

[Ballot comment]
> a SHOULD, with sending it a SHOULD not. Support will probably

s/SHOULD not/SHOULD NOT/

Section 1.2 does not list the change that unnegotiated extensions now result in an alert, not silently dropping the message. (Section 6)

By the way, differences from RFC 4346 are easily seen in
http://tools.ietf.org/rfcdiff?url1=http://www.ietf.org/rfc/rfc4346.txt&url2=http://tools.ietf.org/id/draft-ietf-tls-rfc4346-bis-09.txt

[Ballot comment]
> a SHOULD, with sending it a SHOULD not. Support will probably

s/SHOULD not/SHOULD NOT/

By the way, differences from RFC 4346 are easily seen in
http://tools.ietf.org/rfcdiff?url1=http://www.ietf.org/rfc/rfc4346.txt&url2=http://tools.ietf.org/id/draft-ietf-tls-rfc4346-bis-09.txt

Request to publish TLS 1.2 (draft-ietf-tls-rfc4346-bis-09)
--------------

(1.a) Who is the Document Shepherd for this document? Has the
Document Shepherd personally reviewed this version of the
document and, in particular, does he or she believe this
version is ready for forwarding to the IESG for publication?

Pasi Eronen. Yes.

(1.b) Has the document had adequate review both from key WG members
and from key non-WG members? Does the Document Shepherd have
any concerns about the depth or breadth of the reviews that
have been performed?

The document went through WG last call, and although the number
people who commented the technical details was rather small,
I don't have concerns about the depth or breadth.

(1.c) Does the Document Shepherd have concerns that the document
needs more review from a particular or broader perspective,
e.g., security, operational complexity, someone familiar with
AAA, internationalization, or XML?

No concerns.

(1.d) Does the Document Shepherd have any specific concerns or
issues with this document that the Responsible Area Director
and/or the IESG should be aware of? For example, perhaps he
or she is uncomfortable with certain parts of the document, or
has concerns whether there really is a need for it. In any
event, if the WG has discussed those issues and has indicated
that it still wishes to advance the document, detail those
concerns here.

No concerns.

Has an IPR disclosure related to this document been filed?
If so, please include a reference to the disclosure and
summarize the WG discussion and conclusion on this issue.

No IPR disclosures have been filed.

(1.e) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with
others being silent, or does the WG as a whole understand and
agree with it?

The WG as a whole is behind the document.

(1.f) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarize the areas of conflict in
separate email messages to the Responsible Area Director. (It
should be in a separate email because this questionnaire is
entered into the ID Tracker.)

Nobody has threatened an appeal or otherwise indicated extreme
discontent.

(1.g) Has the Document Shepherd personally verified that the
document satisfies all ID nits? (See
http://www.ietf.org/ID-Checklist.html and
http://tools.ietf.org/tools/idnits/.) Boilerplate checks are
not enough; this check needs to be thorough.

Yes, I have personally verified both the checklist and the idnits
tool output.

Has the document met all formal review criteria it needs to,
such as the MIB Doctor, media type, and URI type reviews?

No such formal review criteria are applicable.

If the document does not already indicate its intended status
at the top of the first page, please indicate the intended
status here.

The intended status, Proposed Standard, is stated on the first page.

(1.h) Has the document split its references into normative and
informative? Are there normative references to documents that
are not ready for advancement or are otherwise in an unclear
state? If such normative references exist, what is the
strategy for their completion? Are there normative references
that are downward references, as described in [RFC3967]? If
so, list these downward references to support the Area
Director in the Last Call procedure for them [RFC3967].

References are split into normative and informative; all normative
references look acceptable.

There is one reference whose normativeness might be subject to
different opinions or discussion: RFC 4492 (ECC cipher suites for
TLS). When RFC 4492 was written, TLS 1.0 and 1.1 did not provide
algorithm agility for digital signatures. There are couple of
sentences in RFC 4492 that simply follow what TLS 1.0/1.1 did in
this respect.

TLS 1.2 (this specification) adds such algorithm agility
functionality, and this functionality applies to all TLS cipher
suites which use signatures (either in TLS messages or
certificates). The document includes a couple of sentences that
explain how exactly this functionality works in the context of RFC
4492; in other words, things that someone implementing both this
specification and RFC 4492 should pay attention to. These topics
are summarized in Appendix A.7.

Given this, the document has "Updates: RFC 4492" on the cover page
to draw implementors' attention. However, RFC 4492 is listed as an
informative reference, as this specification can be implemented
without understanding RFC 4492.

(1.i) Has the Document Shepherd verified that the document's IANA
Considerations section exists and is consistent with the body
of the document? If the document specifies protocol
extensions, are reservations requested in appropriate IANA
registries? Are the IANA registries clearly identified? If
the document creates a new registry, does it define the
proposed initial contents of the registry and an allocation
procedure for future registrations? Does it suggest a
reasonable name for the new registry? See [RFC2434]. If the
document describes an Expert Review process, has the Document
Shepherd conferred with the Responsible Area Director so that
the IESG can appoint the needed Expert during IESG Evaluation?

Everything looks OK here.

(1.j) Has the Document Shepherd verified that sections of the
document that are written in a formal language, such as XML
code, BNF rules, MIB definitions, etc., validate correctly in
an automated checker?

The only (semi-)formal language used is the TLS presentation
language (defined in this document), for which no automated tools
are available. I have checked them manually.

(1.k) The IESG approval announcement includes a Document
Announcement Write-Up. Please provide such a Document
Announcement Write-Up. Recent examples can be found in the
"Action" announcements for approved documents. The approval
announcement contains the following sections:

Technical Summary

This document specifies version 1.2 of the Transport Layer
Security (TLS) protocol. The most important improvements over
earlier versions are algorithm agility for digital signatures
and PRFs, and support for authenticated encryption modes. The
document also merges in AES cipher suites from RFC 3268 and the
TLS extension mechanism from RFC 4366. Several requirements have
been also tightened, and text has been clarified based on
feedback from implementations of earlier versions of TLS.

Working Group Summary

This document is a product of the Transport Layer
Security (TLS) Working Group.

Document Quality

There is at least one prototype implementation of an earlier
version of TLS 1.2 Internet-Draft. Several other vendors have
participated in the work, and have indicated that they plan to
implement the specification.

Personnel

The Document Shepherd for this document is Pasi Eronen, and
the Responsible Area Director is Tim Polk.

IANA Last Call comments:

Action #1:
Upon approval of this document, the IANA will make the following
changes in "Transport Layer Security (TLS) Parameters]" registry
located at
http://www.iana.org/assignments/tls-parameters
sub-registry "TLS ClientCertificateType Identifiers Registry - per [RFC4346]"

OLD:
TLS ClientCertificateType Identifiers Registry - per [RFC4346]

NEW:
Registry Name: TLS ClientCertificateType Identifiers Registry
Reference: [RFC-tls-rfc4346-bis-09]

Values in the range 0-63 (decimal) inclusive are assigned via
Standards Action [RFC2434].
Values in the range 64-223 (decimal) inclusive are assigned via
Specification Required [RFC2434].
Values from 224-255 (decimal) inclusive are reserved for Private
Use [RFC2434].

QUESTION: are the references for value 0-6,20 supposed to change to this document or stay with RFC4346 ?


Action #2:
Upon approval of this document, the IANA will make the following
changes in "Transport Layer Security (TLS) " registry located at
http://www.iana.org/assignments/tls-parameters
sub-registry "TLS Cipher Suite Registry"

OLD:
TLS Cipher Suite Registry - per [RFC4346]

NEW:
Registry Name: TLS Cipher Suite Registry
Reference: [RFC-tls-rfc4346-bis-09]

Allocation policy: the first byte in the range 0-191 (decimal)
inclusive are assigned via Standards Action [RFC2434].
Values with the first byte in the range 192-254 (decimal) are assigned via Specification Required [RFC2434].
Values with the first byte 255 (decimal) are reserved for Private Use
[RFC2434].


Action #3:
Upon approval of this document, the IANA will make the following
registrations in "Transport Layer Security (TLS)" registry located at
http://www.iana.org/assignments/tls-parameters
sub-registry "TLS Cipher Suite Registry”

TLS Cipher Suite Registry
Value Description Reference
----------- -------------------------------------- ---------
0x00, TDB1 TLS_RSA_WITH_NULL_SHA256 [RFC-tls-rfc4346-bis-09]
0x00, TBD2 TLS_RSA_WITH_AES_128_CBC_SHA256 [RFC-tls-rfc4346-bis-09]
0x00, TBD3 TLS_RSA_WITH_AES_256_CBC_SHA256 [RFC-tls-rfc4346-bis-09]
0x00, TBD4 TLS_DH_DSS_WITH_AES_128_CBC_SHA256 [RFC-tls-rfc4346-bis-09]
0x00, TBD5 TLS_DH_RSA_WITH_AES_128_CBC_SHA256 [RFC-tls-rfc4346-bis-09]
0x00, TBD6 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 [RFC-tls-rfc4346-bis-09]
0x00, TBD7 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 [RFC-tls-rfc4346-bis-09]
0x00, TBD8 TLS_DH_DSS_WITH_AES_256_CBC_SHA256 [RFC-tls-rfc4346-bis-09]
0x00, TBD9 TLS_DH_RSA_WITH_AES_256_CBC_SHA256 [RFC-tls-rfc4346-bis-09]
0x00, TBDA TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 [RFC-tls-rfc4346-bis-09]
0x00, TBDB TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 [RFC-tls-rfc4346-bis-09]
0x00, TBDC TLS_DH_anon_WITH_AES_128_CBC_SHA256 [RFC-tls-rfc4346-bis-09]
0x00, TBDD TLS_DH_anon_WITH_AES_256_CBC_SHA256 [RFC-tls-rfc4346-bis-09]


Action #4
Upon approval of this document, the IANA will make the following
changes in "Transport Layer Security (TLS) " registry located at
http://www.iana.org/assignments/tls-parameters
sub-registry "TLS ContentType Registry"

OLD:
TLS ContentType Registry - per [RFC4346]

NEW:
Registry Name: TLS ContentType Registry
Reference: [RFC-tls-rfc4346-bis-09]

Allocation policy: Standards Action


Action #5
Upon approval of this document, the IANA will make the following
changes in "Transport Layer Security (TLS) Parameters" registry
located at
http://www.iana.org/assignments/tls-parameters
sub-registry "TLS Alert Registry"

OLD:
TLS Alert Registry - per [RFC4346]

NEW:
Registry Name: TLS Alert Registry
Reference: [RFC4346]

Allocation policy: Standards Action


Action #6
Upon approval of this document, the IANA will make the following

changes in "Transport Layer Security (TLS) Parameters" registry
located at
http://www.iana.org/assignments/tls-parameters
sub-registry "TLS HandshakeType Registry"

OLD:
TLS HandshakeType Registry - per [RFC4346]

NEW:
Registry Name: TLS HandshakeType Registry
Reference: [RFC-tls-rfc4346-bis-09]

Allocation policy: Standards Action


Action #7:
Upon approval of this document, the IANA will make the following
changes in "Transport Layer Security (TLS) Extensions" registry
located at
http://www.iana.org/assignments/tls-extension-values
sub-registry "ExtensionType Values"

OLD:
Registry Name: ExtensionType Values
Reference: [RFC4366]

NEW:
Registry Name: ExtensionType Values
Reference: [RFC-tls-rfc4346-bis-09]


Action #8
Upon approval of this document, the IANA will in the following registry "Transport Layer Security (TLS) Parameters" located at
http://www.iana.org/assignments/tls-parameters
create a new sub-registry "TLS SignatureAlgorithm Registry"

Initial contents of this sub-registry will be:

Allocation policy:
Values in the range 0-63 (decimal) inclusive are assigned via
Standards Action [RFC2434].
Values in the range 64-223 (decimal) inclusive are assigned via
Specification Required [RFC2434].
Values from 224-255 (decimal) inclusive are reserved for Private
Use [RFC2434].

Value Name Reference
-------+-------------+---------
0 | anonymous | [RFC-tls-rfc4346-bis-09]
1 | rsa | [RFC-tls-rfc4346-bis-09]
2 | dsa | [RFC-tls-rfc4346-bis-09]
3 | ecdsa | [RFC-tls-rfc4346-bis-09]
4-255 | Unallocated | [RFC-tls-rfc4346-bis-09]


Action #9
Upon approval of this document, the IANA will make the following
registry "Transport Layer Security (TLS) Parameters - per [RFC4346]"
located at
http://www.iana.org/assignments/tls-parameters
create a new sub-registry "TLS HashAlgorithm Registry [RFC-tls-rfc4346-bis-09]"

Initial contents of this sub-registry will be:

Allocation policy:
Values in the range 0-63 (decimal) inclusive are assigned via
Standards Action [RFC2434].
Values in the range 64-223 (decimal) inclusive are assigned via
Specification Required [RFC2434].
Values from 224-255 (decimal) inclusive are reserved for Private
Use [RFC2434].

Value Name Reference
-------+-------------+---------
0 | none | [RFC-tls-rfc4346-bis-09]
1 | md5 | [RFC-tls-rfc4346-bis-09]
2 | sha1 | [RFC-tls-rfc4346-bis-09]
3 | sha256 | [RFC-tls-rfc4346-bis-09]
4 | sha384 | [RFC-tls-rfc4346-bis-09]
5 | sha512 | [RFC-tls-rfc4346-bis-09]
6-255 | Unallocated | [RFC-tls-rfc4346-bis-09]


Action #10
Upon approval of this document, the IANA will make the following
assignments in the "Transport Layer Security (TLS) Extensions"
registry located at
http://www.iana.org/assignments/tls-extensiontype-values
sub-registry "ExtensionType Values"

Value Extension name Reference
------ ---------------------------- ---------
TDB signature_algorithms [RFC-tls-rfc4346-bis-09]


Action #11
Upon approval of this document, the IANA will make the following
assignments in the "Transport Layer Security (TLS) Compression
Method Identifiers per [RFC3749]" registry located at
http://www.iana.org/assignments/comp-meth-ids

Description Value Reference
------------------------------ ----- ---------
null 0 [RFC-tls-rfc4346-bis-09]