Using TLS in Applications

The information below is for an older proposed charter
Document Proposed charter Using TLS in Applications WG (uta) Snapshot
Title Using TLS in Applications
Last updated 2013-11-16
State Start Chartering/Rechartering (Internal IESG/IAB Review) Rechartering
WG State Active
IESG Responsible AD Alexey Melnikov
Charter Edit AD Barry Leiba
Send notices to (None)


There is a renewed and urgent interest in the IETF to increase the
security of transmissions over the Internet. Many application protocols have
defined methods for using TLS to authenticate the server (and sometimes the
client), and to encrypt the connection between the client and server. However,
there is a diversity of definitions and requirements, and that diversity has
caused confusion for application developers and also has led to lack of
interoperability or lack of deployment. Implementers and deployers are faced
with multiple security issues in real-world usage of TLS, which currently does
not preclude insecure ciphers and modes of operation.

This WG has the following tasks:

- Update the definitions for using TLS over a set of representative application

- Specify a set of best practices for TLS clients and servers, including but
not limited to recommended versions of TLS, using forward secrecy, and one or
more ciphersuites and extensions that are mandatory to implement.

- Consider, and possibly define, a standard way for an application client and
server to use unauthenticated encryption through TLS when server and/or client
authentication cannot be achieved.

- Create a document that helps application protocol developers use TLS in
future application definitions.

The initial set of representative application protocols is SMTP, POP, IMAP,
XMPP, and HTTP 1.1. It is expected that other protocols that use TLS might
later be updated using the guidelines from this WG, and that those updates will
happen through other WGs or through individual submissions.

The WG will make the fewest changes needed to achieve good interoperable
security for the applications using TLS.  Internal changes to TLS will be made
only in concert with and agreement from the TLS working group.

This WG will collaborate with other IETF WGs, in particular with the TLS and