Last Call Review of draft-ietf-uta-require-tls13-06
review-ietf-uta-require-tls13-06-secdir-lc-orman-2025-03-04-00

Request Review of draft-ietf-uta-require-tls13
Requested revision No specific revision (document currently at 12)
Type IETF Last Call Review
Team Security Area Directorate (secdir)
Deadline 2025-03-04
Requested 2025-02-18
Authors Rich Salz , Nimrod Aviram
I-D last updated 2025-04-17 (Latest revision 2025-04-14)
Completed reviews Artart IETF Last Call review of -05 by Barry Leiba (diff)
Genart IETF Last Call review of -06 by Roni Even (diff)
Dnsdir IETF Last Call review of -05 by Geoff Huston (diff)
Secdir IETF Last Call review of -06 by Hilarie Orman (diff)
Tsvart IETF Last Call review of -06 by Martin Duke (diff)
Dnsdir IETF Last Call review of -06 by Geoff Huston (diff)
Opsdir Telechat review of -09 by Samier Barguil (diff)
Dnsdir Telechat review of -10 by Scott Rose (diff)
Dnsdir Telechat review of -12 by Geoff Huston
Assignment Reviewer Hilarie Orman
State Completed
Request IETF Last Call review on draft-ietf-uta-require-tls13 by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/LKD1WcNiKyzUg-e1u3Hr3LYL-g0
Reviewed revision 06 (document currently at 12)
Result Has nits
Completed 2025-03-04
review-ietf-uta-require-tls13-06-secdir-lc-orman-2025-03-04-00
Do not be alarmed.  I generated this review of this document as part
of the security directorate's ongoing effort to review all IETF
documents being processed by the IESG.  These comments were written
with the intent of improving security requirements and considerations
in IETF drafts.  Comments not addressed in last call may be included
in AD reviews during the IESG review.  Document editors and WG chairs
should treat these comments just like any other last call comments.

The gist of the document is "use TLS 1.3", but I cannot tell what the
command is directed to.  The title says "new protocols".  Does that
mean "new protocols that require transport layer confidentiality,
integrity, and authentication"??  Any new protocol that specifies TLS?
Or simply any new protocol within the IETF?  Section 1 says that it
updates Section 5 of RFC9325. but it's not clear if that is the sole
intent of this document, or if it has a wider scope.

"TLS 1.3 enjoys robust security proofs" sounds definitive, but I think
that might be misleading to the average reader.  There has been a
great deal of attention paid to proving various cryptographic aspects
of the protocol, and some attention to implementation proofs, but
these fall short of being an ironclad guarantee that "this cannot fail in
practice".  I don't think "robust" has any useful technical meaning
with regard to proofs.  Some rephrasing might convey the idea that
"there has been a lot of careful scrutiny of the the protocol."

Section 3 states "cryptographically-relevant quantum computers (CRQC),
once available, ..." raises our expectations for these devices.  
Do they exist now, but they aren't "available" for cryptography?
Will they exist within the lifetime of anyone reading the document
now?  It's highly debatable.  I'd add a pinch more of the subjunctive
tense to this.

Section 6: "TLS 1.2 was specified with several cryptographic
   primitives and design choices that have, over time, weakened its
   security."

I'd not say that the security has changed, but our understanding of its
security has changed.

Hilarie