[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
What to advertise when mandatory ciphers not implemented
Due to scheduling constraints, it is likely that some future release of
Netscape's messaging server will be capable of supporting the STARTTLS
mechanism in IMAP and SMTP, but will not be capable of supporting the
ciphers which the TLS specification makes mandatory.
I have two choices:
1) I can advertise the STARTTLS extension even though the extension does
not conform to the mandatory-to-implement cipher requirements.
2) I can advertise a private XSTARTSSL extension which behaves exactly
like STARTTLS, but does not have the mandatory cipher requirement.
While it is ugly and nonconforming, I believe (1) will lead to better
interoperability. To a client, it is indistinguishable from a
conforming server which has had those ciphers disabled by the admin.
(The trick is to keep marketing from claiming TLS conformance.) I'll do
(2) if the community thinks it is the better choice. What do other