Re: [Uta] Alissa Cooper's Discuss on draft-ietf-uta-tls-bcp-09: (with DISCUSS and COMMENT)

Thu, 19 Feb 2015 00:35:12 -0800 

On 2/18/15 11:53 AM, Pete Resnick wrote:

On 2/18/15 5:07 AM, Leif Johansson wrote:

The idea of making best practice sorta-kinda normative makes me a bit
queasy.


Let's not forget that a BCP *is* a community consensus document. It
means that the IETF community has decided that we do things a particular
way. A BCP *is* normative.

I think it's quite reasonable for the document to say, "MUST NOT
negotiate SSLv2" because doing otherwise causes harm to implementations
and to the net in general. There are no Internet police. If you violate
that MUST NOT, you don't go to jail. We're simply saying that they way
to do security properly on the Internet is that you MUST NOT use SSLv2.

So I don't have a problem with the document saying, "Existing protocols
have tradeoffs to make between interoperability and security, so we (the
IETF) expect those tradeoffs to be made. New protocols we (the IETF)
expect to abide by the requirements and recommendations in this document
unless they give some serious justification for not doing so." That's
what we mean by a BCP.



Exactly. Yesterday I proposed the following text for the section on 
applicability:


   This document does not modify the implementation and deployment
   recommendations (e.g., mandatory-to-implement cipher suites)
   prescribed by existing application protocols that employ TLS or DTLS.
   If the community that uses such an application protocol wishes to
   modernize its usage of TLS or DTLS to be consistent with the best
   practices recommended here, it needs to publish a document that
   explicitly updates the existing application protocol definition (one
   example of such a document is [I-D.ietf-uta-xmpp]).

   Designers of new application protocols developed through the Internet
   Standards Process are expected to conform to the best practices
   recommended here, unless they provide documentation of compelling
   reasons that would prevent such conformance (e.g., widespread
   deployment on constrained devices that lack support for the necessary
   algorithms).

Does that meet our needs?

Peter


_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
























					Reply via email to