[Uta] Re: [Last-Call] Concern about draft-ietf-uta-require-tls13-10 with IoT protocols

Thu, 10 Apr 2025 11:41:19 -0700 

On Tue, Apr 08, 2025 at 06:05:22PM +0200, Toerless Eckert wrote:
> Dear IESG, *:
> 
> We received IESG review for draft-ietf-anima-brski-prm that was asking to
> make the use of TLS 1.3 mandatory based on the expectation that 
> draft-ietf-uta-require-tls13
> would become RFC - unless we provide sufficient justification in our (prm) 
> draft.
> 
> I would like to point out, that it is the current version of 
> draft-ietf-uta-require-tls13
> whose core applicability reasoning is misleading:
> 
> "since TLS 1.3 use is widespread, ...
>    new protocols that use TLS must require and assume its existence
> 
> This is not correct. Correct would be is:
> 
> "since TLS 1.3 use is widespread in browser, ...
>    new protocols that use browsers and TLS must require its use and assume 
> its existence,
>    protocols not using browsers must recommend its use and assume its 
> existance
> 

        The internet is not all HTTP transport, I'm not sure how to
clearly get this message through the IETF.

        It seems this is all that the IETF seems to think exists, hence
DoH and other things without updating the host RFC to mandate these
other behaviors.

        Last I checked the packets got to/from the servers via routing
protocols that did not use TLS, nor does the routing protocol require
the privacy that TLS provides, as I raised in the security area
meetings previuosly.

        I get that when people look at things and they only have a
hammer they try to use it, but until we deprecate all protocol and port
numbers trying to legislate through the standards process requirements
that we don't need continues to demonstrate the disconnect that exists
here.

        And ask yourself, why would someone with a differing opinion
bother to engage here?  There's no incentive, we are told we don't know
what we are talking about and basically ignored.

        At a recent meeting for another thing, the concept that we use
TCP sessions that may have a multi-year lifetime seemed to shock some
people.  Yes it's a real thing, because not everything is a json blob.

        Not sure how much more clear this message can be.  Yes HTTP is
very popular, but it's not the whole thing.

        - Jared

_______________________________________________
Uta mailing list -- uta@ietf.org
To unsubscribe send an email to uta-le...@ietf.org

Reply via email to