Comments (3)
emanjon
commented on August 17, 2024
Yes, we should probably refer to RFC7525bis, but maybe only to specific parts. We intentionally did not refer to RFC7525 as it was not describing "best practice" even when it was published. 3GPP did e.g., discuss RFC7525 but decided to not refer to it as many parts would decrease the security of 3GPP TLS usage rather than strengthening it. E.g allowing thing already forbidden by 3GPP since many years:
When using RSA, servers SHOULD authenticate using certificates with
at least a 2048-bit modulus for the public key. In addition, the use
of the SHA-256 hash algorithm is RECOMMENDED
Curves of less than 192 bits SHOULD NOT be used.
Regarding DTLS versions, it might make sense to just forbid DTLS 1.2 now that DTLS 1.3 is published and supported by several libraries. That would make the part about DTLS 1.2 configuration disappear.
from draft-westerlund-tsvwg-dtls-over-sctp-bis.
emanjon
commented on August 17, 2024
I think it is good to reference RFC 7525bis but beofre doing any changes we should decide if we want to mandate support of RFC 9147. Mandating support of DTLS 1.3 would be equal to mandating use of DTLS 1.3 or higher meaning that everything DTLS 1.2 could be removed.
from draft-westerlund-tsvwg-dtls-over-sctp-bis.
gloinul
commented on August 17, 2024
PR will wait until we have decided on issue #176
from draft-westerlund-tsvwg-dtls-over-sctp-bis.
Related Issues (20)
- Define how the SCTP-AUTH keys are derived HOT 5
- Don't reuse the RFC 6803 exporter label HOT 1
- EC(DHE) -> (EC)DHE HOT 1
- Resumption performance HOT 3
- Cryptographic considerations is very long HOT 1
- How do you limit new connections HOT 1
- Mandatory mutual authentication HOT 3
- Authenticating fallback to RFC 6083 HOT 6
- DTLS 1.3 Only
- Editorial alignment in style of the IANA sub sections needed HOT 1
- DTLS considerations need to be clear that AEAD limits MUST be handled by new connection
- Address new vulnerabilities found in SCTP-AUTH HOT 10
- DTLS Considerations for Handling of Endpoint Pair Shared Secrets HOT 5
- Clarify that COOKIE-ECHO and COOKIE-ACK are not authenticated
- Align terminology with RFC 9260 HOT 10
- Create DTLS/SCTP Control Message IANA registry
- Update solution properties description
- Add text on how SCTP restart works
- Overstated Security Properties
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from draft-westerlund-tsvwg-dtls-over-sctp-bis.