Skip to content
This repository has been archived by the owner on Aug 24, 2023. It is now read-only.

Commit

Permalink
Updates for secdir telechat review of draft-ietf-dtn-tcpclv4-18
Browse files Browse the repository at this point in the history
  • Loading branch information
@BrianSipos
BrianSipos committed Mar 17, 2020
1 parent c1e465d commit 0472a21
Showing 1 changed file with 5 additions and 4 deletions.
9 changes: 5 additions & 4 deletions spec/draft-ietf-dtn-tcpclv4.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2628,7 +2628,7 @@ The negotiated use of TLS is identical behavior to STARTTLS use in
<xref target="RFC2595" /> and <xref target="RFC4511" />.
</t>
</section>
<section title="Threat: Weak Ciphersuite Downgrade">
<section title="Threat: Weak TLS Configurations">
<t>
Even when using TLS to secure the TCPCL session, the actual ciphersuite
negotiated between the TLS peers can be insecure.
Expand All @@ -2637,7 +2637,7 @@ It is up to security policies within each TCPCL node to ensure that the
negotiated TLS ciphersuite meets transport security requirements.
</t>
</section>
<section title="Threat: Invalid Certificate Use">
<section title="Threat: Certificate Validation Vulnerabilities">
<t>
Even when TLS itself is operating properly an attacker can attempt to exploit
vulnerabilities within certificate check algorithms or configuration
Expand All @@ -2657,7 +2657,7 @@ The configuration and use of particular certificate validation methods are
outside of the scope of this document.
</t>
</section>
<section title="Threat: Symmetric Key Overuse">
<section title="Threat: Symmetric Key Limits">
<t>
Even with a secure block cipher and securely-established session keys,
there are limits to the amount of plaintext which can be safely
Expand Down Expand Up @@ -2770,7 +2770,8 @@ the issuance of certificates (including the contents of certificates),
it may be possible to make use of TLS in a way which authenticates only the
passive entity of a TCPCL session or which does not authenticate either entity.
Using TLS in a way which does not authenticate both peer entities of each
TCPCL session is outside of the scope of this document.
TCPCL session is outside of the scope of this document but does have similar
properties to the opportunistic security model of <xref target="RFC7435" />.
</t>
</section>
<section anchor="sec-security-tlsnopki" title="Non-Certificate TLS Use">
Expand Down

0 comments on commit 0472a21

Please sign in to comment.