Kathleen Moriarty has entered the following ballot position for draft-ietf-uta-tls-bcp-09: Yes
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: http://datatracker.ietf.org/doc/draft-ietf-uta-tls-bcp/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thanks for your work on this very helpful draft! I just have a few comments/questions. Section 5. Applicability statement: Should this include application authors (mentioned in section 7.1) and Developers who can set the defaults for implementations of TLS to help operators that are mentioned in this applicability statement? I see the sentence is phrased for 'deployment recommendations', but maybe this should also have a sentence or two on development recommendations. Not for this draft, but this one raised a question for me. Section 7.3: If you look at the following text: Unfortunately, many TLS/DTLS cipher suites were defined that do not feature forward secrecy, e.g., TLS_RSA_WITH_AES_256_CBC_SHA256. This document therefore advocates strict use of forward-secrecy-only ciphers. Should we be thinking about updates to the TLS registry to reflect this recommendation? That's probably not this draft, but a follow on to provide the needed 'specification required'. I'm sure a lot more thought might be needed for that and maybe support for features like PFS is added in a table if older recommendations that don't meet this are not removed. http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml HTTPbis went to the trouble of creating a blacklist of cipher suites that includes ones in the TLS registry. They did take the MTI recommendation that is in this draft, which is good. See section 9.2 and appendix A. https://datatracker.ietf.org/doc/draft-ietf-httpbis-http2/ _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
