Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

strict TLS guidance wording #437

Closed
thomas-fossati opened this issue Jul 13, 2022 · 2 comments · Fixed by #461
Closed

strict TLS guidance wording #437

thomas-fossati opened this issue Jul 13, 2022 · 2 comments · Fixed by #461
Assignees
@stpeter
Labels
BCP195 comment IESG review IESG review

Comments

@thomas-fossati
Copy link
Collaborator 

** Section 3.2
  When TLS-only
  communication is available for a certain protocol, it MUST be used
  by implementations and MUST be configured by administrators.

This guidance seems a little vague but prescriptive.  Is the guidance that if
there is a TLS-version or TLS support for a given protocol, that
implementations of that protocol “MUST” support it?  My confusion is around the
wording that “it must be used by implementations.”

cc @rdanyliw
@stpeter
Copy link
Collaborator

stpeter commented Jul 14, 2022

Via email I replied:

The idea is that if the protocol has a way to ensure that TLS is used (e.g., port 443 in HTTP), then it is safer to use that method than to perform dynamic upgrade. This isn't about using TLS or not using TLS, but about which method is used (if a protocol supports a TLS-only mode/port and a dynamic upgrade mode/port). We thought this would have been clear from the context of the paragraph.

Perhaps this would be clearer?

OLD

  When TLS-only
  communication is available for a certain protocol, it MUST be used
  by implementations and MUST be configured by administrators.

NEW

  When a TLS-only
  communication method is available for a certain protocol, it MUST
  be used by implementations and MUST be configured by
  administrators, in preference to a dynamic upgrade method.

@stpeter stpeter self-assigned this Jul 14, 2022
@thomas-fossati thomas-fossati mentioned this issue Jul 14, 2022
Closed
@stpeter stpeter mentioned this issue Jul 18, 2022
Closed
@stpeter
Copy link
Collaborator

stpeter commented Jul 18, 2022

As I suggested via email, perhaps it would be clearer to say that implementations must provide the ability for administrators to set a strict local policy. I will provide a PR.

@stpeter stpeter mentioned this issue Jul 18, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stpeter stpeter

Labels
BCP195 comment IESG review IESG review
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

improve wording about strict TLS vs. dynamic upgrade yaronf/I-D
2 participants
@stpeter @thomas-fossati