On Thu, Apr 10, 2025 at 11:41 AM Jared Mauch <ja...@puck.nether.net> wrote:
> On Tue, Apr 08, 2025 at 06:05:22PM +0200, Toerless Eckert wrote:
> > Dear IESG, *:
> >
> > We received IESG review for draft-ietf-anima-brski-prm that was asking to
> > make the use of TLS 1.3 mandatory based on the expectation that
> draft-ietf-uta-require-tls13
> > would become RFC - unless we provide sufficient justification in our
> (prm) draft.
> >
> > I would like to point out, that it is the current version of
> draft-ietf-uta-require-tls13
> > whose core applicability reasoning is misleading:
> >
> > "since TLS 1.3 use is widespread, ...
> > new protocols that use TLS must require and assume its existence
> >
> > This is not correct. Correct would be is:
> >
> > "since TLS 1.3 use is widespread in browser, ...
> > new protocols that use browsers and TLS must require its use and
> assume its existence,
> > protocols not using browsers must recommend its use and assume its
> existance
> >
>
> The internet is not all HTTP transport, I'm not sure how to
> clearly get this message through the IETF.
>
> It seems this is all that the IETF seems to think exists, hence
> DoH and other things without updating the host RFC to mandate these
> other behaviors.
>
> Last I checked the packets got to/from the servers via routing
> protocols that did not use TLS, nor does the routing protocol require
> the privacy that TLS provides, as I raised in the security area
> meetings previuosly.
>
I'm certainly aware of this, having spent quite a bit of time working
on applications that run over UDP.
>
> It seems this is all that the IETF seems to think exists, hence
> DoH and other things without updating the host RFC to mandate these
> other behaviors.
>
> Last I checked the packets got to/from the servers via routing
> protocols that did not use TLS, nor does the routing protocol require
> the privacy that TLS provides, as I raised in the security area
> meetings previuosly.
>
It appears to me that you are simply misreading the draft, which does
not require the use of TLS at all, but merely that if you are using
TLS, that you use TLS 1.3, and that only for new protocols.
At a recent meeting for another thing, the concept that we use
> TCP sessions that may have a multi-year lifetime seemed to shock some
> people. Yes it's a real thing, because not everything is a json blob.
>
> Not sure how much more clear this message can be. Yes HTTP is
> very popular, but it's not the whole thing.
>
I'm not sure how this is relevant to the question at hand.
-Ekr
_______________________________________________
Uta mailing list -- uta@ietf.org
To unsubscribe send an email to uta-le...@ietf.org
