RE: Port Numbers from pfh@uk.ibm.com on 1997-02-06 (ietf-tls@w3.org from January to March 1997)

From: <pfh@uk.ibm.com>
Date: Thu, 06 Feb 1997 05:41:28 EST
To: ietf-tls@w3.org
Message-Id: <199702061042.FAA20285@www10.w3.org>

*** Resending note of 05/02/97 09:23

There appears to be several questions raised by the request to IANA of
'TLS-enabled' application protocol ports.

1) Is simply adding a port which negotiates SSL upon connection
    sufficient to satisfy the protocol we are supposed to be protecting
    (I would argue that in the specific case of FTP, this is not true
     as it does not discuss the behaviour of the data port at all - at
     the very least we need to specify the default ftp data port ?ftpds?
     however this is only scratching the surface really)

2) Does adding another port allow heterogeneous client/server
    interoperation, if not then surely something else needs to be
    stated (probably as an RFC (possibly Informational))

3) The much more serious question, raised in several notes is that
    really TLS negotiation and the policies of Clients/Servers shouldn't
    be generalised (the implication of this mechanism of transparently
    adding TLS to the bottom of the application negates the ability
    of the application to set the TLS policies that are right for any
    given conversation.)  The correct approach must be to build TLS
    aware applications that can negotiate TLS as part of their
    initialisation and manage the public/private Keys, CA roots to
    be trusted, CRL gathering, Cipher Suite selection etc... in a
    manner that is appropriate for that conversation in that protocol.
    So, given that an application will need changing, why not do it
    properly and allow TLS negotiation in the application protocol.

  I think several issues need to be raised before the IANA implicity
approves this approach by issuing all these port numbers.

 - Should we not raise this issue more widely than just on ietf-tls,
   the CAT W/G seem to have been set up for this very purpose - surley
   we shouldn't subvert their efforts.

 - Should we not interface to the other Application W/Gs (e.g. ftp-ext)
   who may have a charter to secure the different application protocols.


  In summary, my vote is .. propose the new ones that people are already
using, do not propose ftps until there is at least a commitment from
some IETF working group to define what it really means  (The ftp one that
Eric, Tim Hudson and myself are writing is available for adoption !!),
do not add new ports 'just in case' as this may not be the long-term
preferred route.

Thanks,
Paul

Received on Thursday, 6 February 1997 05:42:29 UTC