Hi Martin,
> -----Original Message-----
> From: Martin Thomson <m...@lowentropy.net>
> Sent: 15 July 2022 21:37
> To: Peter Saint-Andre <stpe...@stpeter.im>; Rob Wilton (rwilton)
> <rwil...@cisco.com>; The IESG <i...@ietf.org>
> Cc: draft-ietf-uta-rfc7525...@ietf.org; uta-cha...@ietf.org; uta@ietf.org;
> le...@sunet.se
> Subject: Re: [Uta] Robert Wilton's Discuss on draft-ietf-uta-rfc7525bis-09:
> (with DISCUSS and COMMENT)
>
> On Sat, Jul 16, 2022, at 06:01, Peter Saint-Andre wrote:
> >> Shouldn’t this be "Implementations MUST support TLS 1.2 {{!RFC5246}} or
> a later version"? Otherwise, protocols like QUIC would presumably not be
> compliant with this BCP if they only support TLS 1.3? Or alternatively, this
> could probably be stated as "Implementations MAY support TLS 1.2
> {{!RFC5246}}".
> >
> > The implementations we've always had in mind for this document are
> > TLS/DTLS implementations, not implementations of protocols that re-use
> > TLS/DTLS in whole or in part (e.g. QUIC re-uses the handshake protocol
> > but not the record layer). However, that's not crystal clear in the
> > document because we only recently started mentioning QUIC. I'll talk
> > with my co-authors about this when we next have a chance to meet
> > regarding all the recent feedback.
>
> I think that you are right to be cautious here. What you want to have happen
> is interoperability. If you say 1.2 or later, then there is a risk of some
> implementations doing 1.2 only and some doing 1.3 only, then you lose the
> ability to communicate.
The introduction states:
This document attempts to minimize new guidance to TLS 1.2
implementations, and the overall approach is to encourage systems to
move to TLS 1.3.
and
These are minimum recommendations for the use of TLS in the vast
majority of implementation and deployment scenarios, with the
exception of unauthenticated TLS (see Section 5).
And section 3.1.1 states:
Rationale: secure deployment of TLS 1.3 is significantly easier
and less error prone than secure deployment of TLS 1.2.
I completely get wanting the interop, but the MUST implement TLS 1.2 still
feels too strong given that AIUI, one of the reasons for TLS 1.3 was to help
mitigate some of the security issues that turned up in TLS 1.2. It feels
reasonable to me for a server deployment to decide that they will only support
TLS 1.3 because it is easier to deploy securely, placing the requirement on the
client to also support TLS 1.3 for successful interop.
Equally, I can also foresee continued deployments, where they still decide to
support old versions of TLS before 1.2 to ensure that they can still
interoperate with legacy clients that have not upgraded.
Regards,
Rob
>
> I think that you might benefit from putting QUIC out of scope, except to note
> that some of the advice is applicable to QUIC insofar as it uses the TLS (1.3)
> handshake.
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
