Hi, I made the following two PRs to remove paywalled normative references. Paywalled crypto specifications is a cybersecurity risk. People should not have to pay to implement or analyze TLS 1.3.
Editorial updates to references #1369 https://github.com/tlswg/tls13-spec/pull/1369 Remove normative references to paywalled crypto #1370 https://github.com/tlswg/tls13-spec/pull/1370 #1369 should be editorial. #1370 changes the reference for some of the ECDH calculation from to [KEYAGREEMENT]. Some of the ECDH calculations already references [KEYAGREEMENT] and the changed text in 7.4.2. does not contain any RFC2119 language. Cheers, John From: John Mattsson <john.mattsson=40ericsson....@dmarc.ietf.org> Date: Sunday, 2 February 2025 at 12:45 To: Sean Turner <s...@sn3rd.com>, TLS List <tls@ietf.org> Subject: [TLS] Re: I-D Action: draft-ietf-tls-rfc8446bis-11.txt Hi, I am very happy that both FIPS 186-5 and RFC8446bis has removed the normative reference to ANSI X.62. I strongly think RFC8446bis should replace ALL normative references to paywalled documents. I think normative references to paywalled crypto documents is a substantial cybersecurity risk and goes against everything the IETF stands for [1-3]. I looked through all normative references in RFC8446bis. - [DH76] This document is freely available at https://ee.stanford.edu/~hellman/publications/24.pdf but I have a hard time seeing this as a normative referce. I think it should be moved to informal. - [IEEE1363] This is paywalled. I don't think RFC8446bis should be published with this as a normative reference. I think this can and should be replaced with NIST SP 800-56A or SECG SEC 1. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf https://www.secg.org/sec1-v2.pdf Additional comments on references - [RFC8996] "*** BROKEN REFERENCE ***" Something wrong here. - [GCM] Should add an URL https://doi.org/10.6028/NIST.SP.800-38D - [X690] Should add an URL https://www.itu.int/rec/T-REC-X.690-202102-I/en [1] https://emanjon.github.io/NIST-comments/2025%20-%20SP%20800-56%20Subseries.pdf [2] https://csrc.nist.gov/News/2024/nist-to-revise-special-publication-80038e [3] https://csrc.nist.gov/csrc/media/projects/crypto-publication-review-project/documents/decision-proposal-comments/sp800-38e-decision-proposal-comments-2023.pdf Cheers, John On 2024-09-16, 18:08, "Sean Turner" <s...@sn3rd.com> wrote: This version addresses all known issues. I will being work on the write-up, but I would expect it to be with our AD by next week. spt > On Sep 14, 2024, at 16:19, > internet-dra...@ietf.org<mailto:internet-dra...@ietf.org> wrote: > > Internet-Draft draft-ietf-tls-rfc8446bis-11.txt is now available. It is a work > item of the Transport Layer Security (TLS) WG of the IETF. > > Title: The Transport Layer Security (TLS) Protocol Version 1.3 > Author: Eric Rescorla > Name: draft-ietf-tls-rfc8446bis-11.txt > Pages: 160 > Dates: 2024-09-14 > > Abstract: > > This document specifies version 1.3 of the Transport Layer Security > (TLS) protocol. TLS allows client/server applications to communicate > over the Internet in a way that is designed to prevent eavesdropping, > tampering, and message forgery. > > This document updates RFCs 5705, 6066, 7627, and 8422 and obsoletes > RFCs 5077, 5246, 6961, 8422, and 8446. This document also specifies > new requirements for TLS 1.2 implementations. > > The IETF datatracker status page for this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-ietf-tls-rfc8446bis/ > > There is also an HTML version available at: > https://www.ietf.org/archive/id/draft-ietf-tls-rfc8446bis-11.html > > A diff from the previous version is available at: > https://author-tools.ietf.org/iddiff?url2=draft-ietf-tls-rfc8446bis-11 > > Internet-Drafts are also available by rsync at: > rsync.ietf.org::internet-drafts > > > _______________________________________________ > I-D-Announce mailing list -- > i-d-annou...@ietf.org<mailto:i-d-annou...@ietf.org> > To unsubscribe send an email to > i-d-announce-le...@ietf.org<mailto:i-d-announce-le...@ietf.org>
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
