> On Oct 25, 2017, at 6:13 PM, Jim Fenton <fen...@bluepopcorn.net> wrote: > > Again, since STS is not specifying TLS parameters, so it should refrain > from telling the client what to do here.
I somewhat agree, and yet some guidance is appropriate, if only to enhance interoperability so that server operators configure their servers to meet the expected security floor, and clients have some idea about safe minima they can enforce. In RFC7435 I wrote: With unauthenticated, encrypted communication, OS protocols may employ more liberal settings than would be best practice when security is mandated by policy. Some legacy systems support encryption, but implement only outdated algorithms or protocol versions. Compatibility with these systems avoids the need to resort to cleartext fallback. For greater assurance of channel security, an OS protocol may enforce more stringent cryptographic parameters when the session is authenticated. For example, the set of enabled Transport Layer Security (TLS) [RFC5246] cipher suites might exclude deprecated algorithms that would be tolerated with unauthenticated, encrypted communication. OS protocols should produce authenticated, encrypted communication when authentication of the peer is "expected". Here, "expected" means a determination via a downgrade-resistant method that authentication of that peer is expected to work. Downgrade-resistant methods include: validated DANE DNS records, existing TOFU identity information, and manual configuration. Such use of authentication is "opportunistic", in that it is performed when possible, on a per- session basis. The middle paragraph leaves room for setting a somewhat higher floor for authenticated channels, and it would not be entirely inappropriate for STS to provide some guidance to server operations of the required minimum security. Thus perhaps servers must support at least TLS 1.2, and at least the associated MTI ciphersuites. Which is different from requiring that clients or servers reject weaker options, but given such a server requirement, it would not be too unreasonable for STS clients to in fact require at least TLS 1.2 and its MIT ciphersuites from STS servers. -- Viktor. _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta