[NNTP] Fwd: New Version Notification for draft-elie-nntp-tls-recommendations-03.txt
Julien ÉLIE
julien at trigofacile.com
Tue Dec 27 13:03:27 PST 2016
Hi all,
Last Call has ended for the draft updating RFC 4642 (use of TLS in
NNTP). The current text is here:
https://www.ietf.org/internet-drafts/draft-elie-nntp-tls-recommendations-03.txt
As usual, if you have any remark, please tell.
The main change is the addition of RFC 6125 as document to follow. I've
received valuable private input from Peter Saint-Andre about the right
wording to use for the new text.
o NNTP implementations and deployments MUST follow the rules and
guidelines defined in [RFC6125] and [RFC5280] for hostname
validation and certificate verification. Part of Section 5 of
[RFC4642] is therefore rationalized in favour of following those
two documents.
The text between "During the TLS negotiation" and "identity
bindings)." in Section 5 of [RFC4642] is replaced with the following
text:
During TLS negotiation, the client MUST verify the server's
identity in order to prevent man-in-the-middle attacks. The
client MUST follow the rules and guidelines defined in [RFC6125],
where the reference identifier MUST be the server hostname that
the client used to open the connection (or the hostname specified
in the TLS "server_name" extension [RFC6066]). The following
NNTP-specific consideration applies: DNS domain names in server
certificates MAY contain the wildcard character "*" as the
complete left-most label within the identifier.
If the match fails, the client MUST follow the recommendations in
Section 6.6 of [RFC6125] regarding certificate pinning and
fallback.
Beyond server identity checking, clients also MUST apply the
procedures specified in [RFC5280] for general certificate
validation (e.g., certificate integrity, signing, and path
validation).
Changes since -02
o Use (and define) the "implicit TLS" terminology instead of "strict
TLS". The language in [RFC7525] is unfortunate since "strict TLS"
is not clearly defined in that document, and the name suggests
that it is an alternative to "opportunistic TLS", rather than an
alternative to STARTTLS. While STARTTLS is often used
opportunistically, that is not always the case.
o Mention SSL Stripping in Section 3.6 with a reference to
Section 2.1 of [RFC7457] because the intent of the related task
may not have been clear enough. Reported by Matija Nalis.
o Add Section 3.4 about how to prevent SSL stripping, notably by an
attempt to negotiate TLS even if STARTTLS is not advertised, when
implicit TLS is not used.
o Strengthen the requirements on hostname validation and certificate
verification, by referencing [RFC6125] and [RFC5280].
o Ask IANA to add this document to the NNTP capabilily labels
registry.
o Reference the security considerations of [RFC6125].
o Mention informative and normative references to add to [RFC4642].
--
Julien ÉLIE
« I had some words with my wife, and she had some paragraphs with
me. » (Sigmund Freud)
Le 26/12/2016 à 15:41, internet-drafts at ietf.org a écrit :
>
> A new version of I-D, draft-elie-nntp-tls-recommendations-03.txt
> has been successfully submitted by Julien Élie and posted to the
> IETF repository.
>
> Name: draft-elie-nntp-tls-recommendations
> Revision: 03
> Title: Use of Transport Layer Security (TLS) in the Network News Transfer Protocol (NNTP)
> Document date: 2016-12-26
> Group: Individual Submission
> Pages: 15
> URL: https://www.ietf.org/internet-drafts/draft-elie-nntp-tls-recommendations-03.txt
> Status: https://datatracker.ietf.org/doc/draft-elie-nntp-tls-recommendations/
> Htmlized: https://tools.ietf.org/html/draft-elie-nntp-tls-recommendations-03
> Diff: https://www.ietf.org/rfcdiff?url2=draft-elie-nntp-tls-recommendations-03
>
> Abstract:
> This document provides recommendations for improving the security of
> the Network News Transfer Protocol (NNTP) when using Transport Layer
> Security (TLS). It modernizes the NNTP usage of TLS to be consistent
> with TLS best current practices. If approved, this document updates
> RFC 4642.
>
>
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
More information about the ietf-nntp
mailing list