Ballot for draft-ietf-uta-require-tls13
Yes
No Objection
Note: This ballot was opened for revision 06 and is now closed.
# Internet AD comments for draft-ietf-uta-require-tls13-06 CC @ekline * comment syntax: - https://github.com/mnot/ietf-comments/blob/main/format.md * "Handling Ballot Positions": - https://ietf.org/about/groups/iesg/statements/handling-ballot-positions/ ## Comments ### S4 * "When the API allows it, clients SHOULD specify just the minimum version they want." I struggled with this phrasing and attempting to reconcile it with the broader goal of requiring TLS1.3. What is really meant here, and could it be more clearly stated? ## Nits ### S5 * "At this time it was published" -> "At the time it was published"
Worth clarifying throughout that protocols *which use TLS* must use TLS 1.3 (or later). This document isn't (I believe) attempting to mandate that all protocols use TLS in all contexts. Section 5, the "small changes" are small by text size, but substantial in impact. Referring to the changes as "small" seems unnecessary.
Thanks Rich for this document. Thanks also to Samier for his first opsdir review. I fully support. Some clarity is needed to unambiguously characterize which "new protocols" we are covering. A fix for this and other edits were shared with Rich using a PR. I'm removing that link and include the changes in the ballot itself. Apologies for the inconvenience. # Title ## Clarify this is for TLS-based protocols OLD: "New Protocols Must Require TLS 1.3" NEW: "New Protocols with TLS Support Must Require TLS 1.3" # Section 1 ## Clarify this is for TLS-based protocols OLD: For these reasons, new protocols must require and NEW: For these reasons, new protocols with TLS support must require and ## minor edit OLD: Note that addressing them usually requires bespoke configuration. NEW: Addressing them usually requires bespoke configuration. ## minor edit OLD: removing most cryptographic primitives considered dangerous. Importantly, TLS 1.3 enjoys robust security proofs and provides excellent security without any additional configuration. NEW: removing most cryptographic primitives considered dangerous. Importantly, compared to TLS1.2, TLS 1.3 provides better security without any additional configuration. ## Clarify this is for TLS-based protocols OLD: This document specifies that, since TLS 1.3 use is widespread, new protocols NEW: This document specifies that, since TLS 1.3 use is widespread, new protocols with TLS support # Section 3 ## nit OLD: Implications for post-quantum cryptography NEW: Implications for Post-Quantum Cryptography (PQC) ## clarify impact + nits OLD: have a huge impact on TLS traffic. To mitigate this, TLS applications will need to migrate to post-quantum cryptography (PQC) [PQC]. Detailed consideration of when any application requires PQC, or when a CRQC is a threat they need to protect against, is beyond the NEW: have a huge impact on TLS traffic (see, e.g., Section 2 of [I-D.ietf-pquip-pqc-engineers]). To mitigate this, TLS applications will need to migrate to Post-Quantum Cryptography (PQC) [PQC]. Detailed considerations of when an application requires PQC or when a CRQC is a threat that an application need to protect against, are beyond the ## nit OLD: For TLS it is important to note that the focus of these efforts is TLS 1.3 NEW: It is important to note that the focus of these PQC efforts for TLS is TLS 1.3 ## Clarify this is for TLS-based protocols OLD: This is one more reason for new protocols to default to TLS 1.3, where NEW: This is one more reason for new protocols requiring TLS service to default to TLS 1.3, where # Section 4 ## nit OLD: then clients SHOULD specify just the minimum NEW: then clients SHOULD specify the minimum # Section 5 ## nit OLD: RFC 9325 provides recommendations for ensuring the security of deployed NEW: [RFC9325] provides recommendations for ensuring the security of deployed ## nit OLD: At the time it was published, it described availability of TLS 1.3 as "widely available." The transition and adoption mentioned in that documnent has grown, and this document now makes two small changes NEW: At the time it was published, it described availability of TLS 1.3 as "widely available". The transition and adoption mentioned in that document has grown, and this document now makes two small changes ## clarify this is for tls-based protocols OLD: That section says that TLS 1.3 SHOULD be supported; this document says that for new protocols it MUST be supported. NEW: That section says that TLS 1.3 SHOULD be supported; this document mandates that TLS 1.3 MUST be supported for new TLS-based protocols. ## nit OLD: That section says that TLS 1.2 MUST be supported; this document says that it MAY be supported as described above. NEW: That section says that TLS 1.2 MUST be supported; this document says that TLS 1.2 MAY be supported. # Section 6 ## nit OLD: See [I-D.draft-ietf-tls-deprecate-obsolete-kex] for details. NEW: See [I-D.ietf-tls-deprecate-obsolete-kex] for details. ## nit OLD: years exploiting CBC cipher suites; refer to e.g. [CBCSCANNING] OLD: years exploiting CBC cipher suites; refer to, e.g., [CBCSCANNING] Cheers, Med
# Éric Vyncke, INT AD, comments for draft-ietf-uta-require-tls13-10 CC @evyncke Thank you for the work put into this document. It is always useful to stress the important security standards. Please find below some non-blocking COMMENT points (but replies would be appreciated even if only for my own education). Special thanks to Valery Smyslov for the shepherd's write-up including the WG consensus ***but it lacks*** the justification of the intended status. Other thanks to Scott Rose, the DNS directorate reviewer, please consider this int-dir review and one typo: https://datatracker.ietf.org/doc/review-ietf-uta-require-tls13-10-dnsdir-telechat-rose-2025-03-27/ (and I have read reply) I hope that this review helps to improve the document, Regards, -éric ## COMMENTS (non-blocking) ### Title Should the title be "At Least v1.3 of TLS" ? ### Abstract The sentence about example does not really fit an abstract, please remove. Unsure how to read `fixed weaknesses in TLS 1.2` ? I.e, if they are fixed, then why move to TLS 1.3 ? ### Section 1 The first paragraph is somehow self-contradicting "good security properties" vs. "several deficiencies" vs. "bespoke configuration". ### Section 4 I would remove the DoT counter-example, it is only confusing. Isn't the set of crypto algorithms also part of the negotiation ? I.e., a 'stupid' configuration could have TLS 1.2 with really good crypto and TLS 1.3 with average one (in a couple of years). Should the text mention this as well ? ### Section 6 While this section proposes mitigations to some attacks against TLS 1.2, it does not do so for *all* attacks while section claims that bespoke configuration can fix all weaknesses of TLS 1.2.
Edit: Thanks for the quick work to address my discuss. Thank you to Hillarie Orman for their secdir review. Title: While I'm not generally a fan of suggesting title changes, it may be warranted here. Perhaps, 'New Protocols Utilizing TLS Must Require TLS 1.3'. Abstract: I think you are burying the lead here. Perhaps: 'TLS 1.3 use is widespread, it has had comprehensive security proofs, and it improves both security and privacy over TLS 1.2. Therefore, new protocols that use TLS must require TLS 1.3. As DTLS 1.3 is not widely available or deployed, this prescription does not pertain to DTLS (in any DTLS version); it pertains to TLS only. This document updates RFC9325, discusses post-quantum cryptography and the security and privacy improvements over TLS 1.2 as a rationale for that update.' Introduction: For similar reasons (burying the lead), I would put the third para first, and then swap the first and second paragraph (some small changes will be needed - remove 'also'). Section 6, para 2: 'extension points'? maybe just 'extensions'? [or add 'points' to all the places 'extension' is used in the para.
Thank you to Roni Even for the GENART review.