Hi Viktor,
That works for me. I'll wait for the Chairs to ask for a new version before
publishing.
Best regards,
Chris
On Tue, Sep 19, 2023 at 12:39 PM Viktor Dukhovni
wrote:
> On Tue, Sep 19, 2023 at 07:25:51AM -0400, Chris Lonvick wrote:
>
> > I think that the changes to Sections 4 and 5 sho
On Tue, Sep 19, 2023 at 07:25:51AM -0400, Chris Lonvick wrote:
> I think that the changes to Sections 4 and 5 should be limited to
> replacing "MUST NOT" with "SHOULD NOT". That will provide clear
> guidance for implementers.
>
> I was then thinking of changing the Security Considerations section
Hi Viktor,
Your comments didn't go unnoticed.
I think that the changes to Sections 4 and 5 should be limited to replacing
"MUST NOT" with "SHOULD NOT". That will provide clear guidance for
implementers.
I was then thinking of changing the Security Considerations section to the
following:
---vvv-
On Wed, Sep 06, 2023 at 12:53:39PM -0400, Chris Lonvick wrote:
> Hi Viktor and all,
>
> I see your point.
>
> How about if the phrases "MUST NOT offer TLS_RSA_WITH_AES_128_CBC_SHA" in
> Sections 4 and 5 be changed to "SHOULD NOT offer..."?
>
> This seems to be more consistent with Section 4.2.1
Hi Hubert,
I don't think that the guidance should be "MUST NOT". That would be
exceeding the recommendation of BCP 195 and would leave administrators of
devices that only support TLS_RSA_WITH_AES_128_CBC_SHA with no
interoperability options. Following the guidance of BCP 195 by using
"SHOULD NOT"
RSA key exchange are the worst ciphersuites you can possibly use, they
should
be MUST NOT as anything else is an improvement.
If that's the only interoperable ciphersuite that's available in the
environment
that the administrator is configuring, they'll ignore any guidance anyway.
On Wednesda
Hi Ilari,
If a syslog server MUST NOT offer the only cipher suite that an associated
client has available then the client will not be able to securely convey
syslog messages to that server. That would break things. Changing that to
"SHOULD NOT" allows an administrator to evaluate the risks. The
ad
On Wed, Sep 06, 2023 at 12:53:39PM -0400, Chris Lonvick wrote:
> Hi Viktor and all,
>
> I see your point.
>
> How about if the phrases "MUST NOT offer TLS_RSA_WITH_AES_128_CBC_SHA" in
> Sections 4 and 5 be changed to "SHOULD NOT offer..."?
>
> This seems to be more consistent with Section 4.2.1
Chair hat off, this suggestion makes sense to me, I would support making
the change, unless a strong counter argument is presented.
OS
On Wed, Sep 6, 2023 at 11:54 AM Chris Lonvick
wrote:
> Hi Viktor and all,
>
> I see your point.
>
> How about if the phrases "MUST NOT offer TLS_RSA_WITH_AES_12
Hi Viktor and all,
I see your point.
How about if the phrases "MUST NOT offer TLS_RSA_WITH_AES_128_CBC_SHA" in
Sections 4 and 5 be changed to "SHOULD NOT offer..."?
This seems to be more consistent with Section 4.2.1 of RFC 9325 (BCP 195)
and will continue to allow devices to offer that algorith
Sorry if I was not clear, I was hoping to see the comment responded to,
even if the consensus is to not make changes.
Once we can see the group position on it, I think we will have addressed
comments raised during WGLC.
OS
On Wed, Sep 6, 2023 at 9:02 AM Salz, Rich wrote:
>
>- This is curre
* This is currently the only comment we have seen outside of support for
the draft being WGLC complete.
Viktor is the only person who has brought this up. Now I know there hasn’t been
a lot of discussion, but I’m not sure consensus is with his position.
_
draft-ietf-uta-ciphersuites-in-sec-syslog Authors,
This is currently the only comment we have seen outside of support for the
draft being WGLC complete.
We recommend addressing this comment, if you agree I will update the data
tracker.
Regards,
Orie and Valery
On Thu, Aug 31, 2023 at 10:41 AM
On Mon, Aug 21, 2023 at 07:16:01AM -0400, Chris Lonvick wrote:
> We think that this version is ready for WG Last Call. Would the members of
> the WG please review and let us know (on the WG list) if there are any
> objections?
>
The draft looks clear enough. My main concern is not with readynes
: [Uta] Reviews requested - draft-ietf-uta-ciphersuites-in-sec-syslog
Hi,
We think that this version is ready for WG Last Call. Would the members of the
WG please review and let us know (on the WG list) if there are any objections?
The IETF datatracker status page for this Internet-Draft is:
https
I read the diff and still think it’s ready for WGLC.
___
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
Hi,
We think that this version is ready for WG Last Call. Would the members of
the WG please review and let us know (on the WG list) if there are any
objections?
The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-uta-ciphersuites-in-sec-syslog
17 matches
Mail list logo