Re: [Uta] Establishing minimum TLS requirements for use with STS

Wed, 25 Oct 2017 15:58:29 -0700 


> On Oct 25, 2017, at 6:13 PM, Jim Fenton <fen...@bluepopcorn.net> wrote:
> 
> Again, since STS is not specifying TLS parameters, so it should refrain
> from telling the client what to do here.

I somewhat agree, and yet some guidance is appropriate, if only to enhance
interoperability so that server operators configure their servers to meet
the expected security floor, and clients have some idea about safe minima
they can enforce.

In RFC7435 I wrote:

   With unauthenticated, encrypted communication, OS protocols may
   employ more liberal settings than would be best practice when
   security is mandated by policy.  Some legacy systems support
   encryption, but implement only outdated algorithms or protocol
   versions.  Compatibility with these systems avoids the need to resort
   to cleartext fallback.

   For greater assurance of channel security, an OS protocol may enforce
   more stringent cryptographic parameters when the session is
   authenticated.  For example, the set of enabled Transport Layer
   Security (TLS) [RFC5246] cipher suites might exclude deprecated
   algorithms that would be tolerated with unauthenticated, encrypted
   communication.

   OS protocols should produce authenticated, encrypted communication
   when authentication of the peer is "expected".  Here, "expected"
   means a determination via a downgrade-resistant method that
   authentication of that peer is expected to work.  Downgrade-resistant
   methods include: validated DANE DNS records, existing TOFU identity
   information, and manual configuration.  Such use of authentication is
   "opportunistic", in that it is performed when possible, on a per-
   session basis.

The middle paragraph leaves room for setting a somewhat higher floor
for authenticated channels, and it would not be entirely inappropriate
for STS to provide some guidance to server operations of the required
minimum security.  Thus perhaps servers must support at least TLS 1.2,
and at least the associated MTI ciphersuites.  Which is different from
requiring that clients or servers reject weaker options, but given such
a server requirement, it would not be too unreasonable for STS clients
to in fact require at least TLS 1.2 and its MIT ciphersuites from STS
servers.

-- 
        Viktor.

_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta

Reply via email to