The IESG has received a request from the Using TLS in Applications WG (uta) to consider the following document: - 'Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)' <draft-ietf-uta-rfc7525bis-06.txt> as Best Current Practice
The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the last-c...@ietf.org mailing lists by 2022-05-30. Exceptionally, comments may be sent to i...@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) are widely used to protect data exchanged over application protocols such as HTTP, SMTP, IMAP, POP, SIP, and XMPP. Over the years, the industry has witnessed several serious attacks on TLS and DTLS, including attacks on the most commonly used cipher suites and their modes of operation. This document provides recommendations for improving the security of deployed services that use TLS and DTLS. The recommendations are applicable to the majority of use cases. An earlier version of this document was published as RFC 7525 when the industry was in the midst of its transition to TLS 1.2. Years later this transition is largely complete and TLS 1.3 is widely available. This document updates the guidance, given the new environment. In addition, the document updates RFC 5288 and RFC 6066 in view of recent attacks. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-uta-rfc7525bis/ No IPR declarations have been submitted directly on this I-D. The document contains these normative downward references. See RFC 3967 for additional information: rfc7465: Prohibiting RC4 Cipher Suites (Proposed Standard - Internet Engineering Task Force (IETF)) rfc6347: Datagram Transport Layer Security Version 1.2 (Proposed Standard - Internet Engineering Task Force (IETF)) rfc6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0 (Proposed Standard - Internet Engineering Task Force (IETF)) rfc5746: Transport Layer Security (TLS) Renegotiation Indication Extension (Proposed Standard - Internet Engineering Task Force (IETF)) rfc7627: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension (Proposed Standard - Internet Engineering Task Force (IETF)) rfc8740: Using TLS 1.3 with HTTP/2 (Proposed Standard - Internet Engineering Task Force (IETF)) rfc7301: Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension (Proposed Standard - Internet Engineering Task Force (IETF)) rfc8422: Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) Versions 1.2 and Earlier (Proposed Standard - Internet Engineering Task Force (IETF)) rfc9155: Deprecating MD5 and SHA-1 Signature Hashes in TLS 1.2 and DTLS 1.2 (Proposed Standard - Internet Engineering Task Force (IETF)) rfc6125: Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS) (Proposed Standard - Internet Engineering Task Force (IETF)) rfc5288: AES Galois Counter Mode (GCM) Cipher Suites for TLS (Proposed Standard - Internet Engineering Task Force (IETF)) rfc6066: Transport Layer Security (TLS) Extensions: Extension Definitions (Proposed Standard - Internet Engineering Task Force (IETF)) _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
