Re: [Uta] Richard Barnes' Discuss on draft-ietf-uta-tls-bcp-09: (with DISCUSS and COMMENT)

Fri, 20 Feb 2015 12:42:06 -0800 

On 2/20/15 1:22 PM, Pete Resnick wrote:

On 2/20/15 1:43 PM, Richard Barnes wrote:


On Fri, Feb 20, 2015 at 2:12 PM, Stephen Farrell
<stephen.farr...@cs.tcd.ie <mailto:stephen.farr...@cs.tcd.ie>> wrote:



        The sense of the UTA Working Group was to complete
        work on this document about best practices for TLS in
    general, and to
        initiate work on a separate document about opportunistic TLS.


    No, I don't believe we've decided that UTA will be the place where
    we develop a BCP on OS. [...]

    I'd really really hope we disentangle that discussion from this
    draft though, so please replace the last sentence with:

                  "The sense of the UTA Working Group was to complete
    work on this document about best practices for TLS in general, and to
    for work on a separate BCP document about opportunistic security
    to be done later."



FWIW:
- That text is not mine; it has been in since -07.
- I would personally be A-OK with UTA working on opportunistic TLS,
especially in the sense of providing advice on how to interop with old
stuff in ways most likely to result in TLS usage.
- It's probably not a great idea to say that in this document

How about:
"The sense of the UTA Working Group was to complete work on this
document about best practices for TLS in general, and to leave
recommendations about opportunistic TLS for future work."


Or we could drop mention of the WG entirely:

"This document specifies best practices for TLS in general. A separate
document with recommendations for the use of TLS with opportunistic
security is to be completed in the future."


Sure.

So (with some hopefully slight edits)...

###

5.2.  Opportunistic Security

   There are several important scenarios in which the use of TLS is
   optional, i.e., the client decides dynamically ("opportunistically")
   whether to use TLS with a particular server or to connect in the
   clear.  This practice, often called "opportunistic security", is
   described at length in [RFC7435] and is often motivated by a desire
   for backward compatibility with legacy deployments.

   In these scenarios, some of the recommendations in this document
   might be too strict, since adhering to them could cause fallback to
   cleartext, a worse outcome than using TLS with an outdated protocol
   version or cipher suite.

   This document specifies best practices for TLS in general.  A
   separate document containing recommendations for the use of TLS with
   opportunistic security is to be completed in the future.

###


_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta




























					Reply via email to