From 0472a211fb574354ffcb509a7531f04916dcc864 Mon Sep 17 00:00:00 2001 From: Brian Sipos Date: Tue, 17 Mar 2020 16:04:23 -0400 Subject: [PATCH] Updates for secdir telechat review of draft-ietf-dtn-tcpclv4-18 --- spec/draft-ietf-dtn-tcpclv4.xml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/spec/draft-ietf-dtn-tcpclv4.xml b/spec/draft-ietf-dtn-tcpclv4.xml index 0d7ff2c..9a2d9b8 100644 --- a/spec/draft-ietf-dtn-tcpclv4.xml +++ b/spec/draft-ietf-dtn-tcpclv4.xml @@ -2628,7 +2628,7 @@ The negotiated use of TLS is identical behavior to STARTTLS use in and . -
+
Even when using TLS to secure the TCPCL session, the actual ciphersuite negotiated between the TLS peers can be insecure. @@ -2637,7 +2637,7 @@ It is up to security policies within each TCPCL node to ensure that the negotiated TLS ciphersuite meets transport security requirements.
-
+
Even when TLS itself is operating properly an attacker can attempt to exploit vulnerabilities within certificate check algorithms or configuration @@ -2657,7 +2657,7 @@ The configuration and use of particular certificate validation methods are outside of the scope of this document.
-
+
Even with a secure block cipher and securely-established session keys, there are limits to the amount of plaintext which can be safely @@ -2770,7 +2770,8 @@ the issuance of certificates (including the contents of certificates), it may be possible to make use of TLS in a way which authenticates only the passive entity of a TCPCL session or which does not authenticate either entity. Using TLS in a way which does not authenticate both peer entities of each -TCPCL session is outside of the scope of this document. +TCPCL session is outside of the scope of this document but does have similar +properties to the opportunistic security model of .