Technical Summary
This document provides guidance for implementing and using Transport
Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
protocols in order to ensure authentication, confidentiality, and
data integrity protection to communications exchanged over a broad
range of application protocols that desire these properties. It is
expected that applications' communities consult this document before
stating application-specific recommendations on a case-by-case basis
if needed.
Working Group Summary
This document is requested to be published as a BCP. It lists and
explains the rationale for the best existing practices known to
protect against a growing number of security attacks against TLS and
DTLS. (These attacks are documented in a companion document
https://datatracker.ietf.org/doc/draft-ietf-uta-tls-attacks/). For
example, this document calls for the deployment of algorithms that
are typically implemented by TLS and DTLS software, but not yet
widely used by applications.
There has been a strong consensus on the UTA list (and beyond) that
the information in this document is extremely timely and valuable to
the broad community and that the document needs to be published as
soon as possible. Comments have been made about the applicability of
this document after TLS 1.3 is published and deployed. A system that
deploys TLS 1.3 will have fewer vulnerabilities than TLS 1.2 or
below, but the strength of various algorithms and the feasibility of
known and new attacks is a point-in-time statement. This document is
likely to be updated after TLS 1.3 gets noticeable deployment.
Document Quality
The document has been thoroughly reviewed by a long string of
security and applications' experts for its content and readability.
For reference, please see the year-long active discussion on the
http://www.ietf.org/mail-archive/web/uta/current/maillist.html and
the "Acknowledgements" section of the document. There has been a
number of topics that generated extensive discussions on the list and
resulting in a consensus. The exact choice of the recommended cipher
suites has been discussed in length in order to find the right
balance between achieving security and interoperability. The
conclusion has been captured in section 4.2 of the document.
Determining the requirements of a typical application using TLS or
DTLS have been discussed at length and led to writing the
"applicability statement" in section 5 of the document. As a result,
applications that intentionally choose not to rely on the
authentication, confidentiality, or data integrity properties
provided by TLS and DTLS don't need to follow the recommendations of
this document. Specifically, the cases of "unauthenticated TLS" or
"opportunistic security" are not covered in this document leaving the
opportunity to write TLS/DTLS recommendations for these cases in the
future.
A recent concern has been expressed on the list that readers less
involved in the IETF get confused by having four recommendations for
using TLS/DTLS: the TLS spec, the Constrained Application Protocol
(CoAP) spec, the UTA BCP (i.e., this document), and the DTLS Profile
for Internet of Things
(https://tools.ietf.org/html/draft-ietf-dice-profile-08). To address
this concern, it is important to note that (1) this document doesn't
profile neither TLS nor DTLS (e.g., it does not change their MTI
algorithms); (2) IoT and CoAP define a particular application
environment with its specific profile(s) to be followed by its
community; and (3) we hope that CoAP and DICE community find the
information captured in this document as a useful input to their work.
Personnel
The document shepherd is Orit Levin.
The responsible Area Director is Pete Resnick.