[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

What to advertise when mandatory ciphers not implemented

To: ietf-apps-tls@xxxxxxx
Subject: What to advertise when mandatory ciphers not implemented
From: jgmyers@xxxxxxxxxxxx (John Myers)
Date: Wed, 18 Mar 1998 17:16:01 -0800
Sender: owner-ietf-apps-tls@xxxxxxx

Due to scheduling constraints, it is likely that some future release of
Netscape's messaging server will be capable of supporting the STARTTLS
mechanism in IMAP and SMTP, but will not be capable of supporting the
ciphers which the TLS specification makes mandatory.

I have two choices:

1) I can advertise the STARTTLS extension even though the extension does
not conform to the mandatory-to-implement cipher requirements.

2) I can advertise a private XSTARTSSL extension which behaves exactly
like STARTTLS, but does not have the mandatory cipher requirement.

While it is ugly and nonconforming, I believe (1) will lead to better
interoperability.  To a client, it is indistinguishable from a
conforming server which has had those ciphers disabled by the admin. 
(The trick is to keep marketing from claiming TLS conformance.)  I'll do
(2) if the community thinks it is the better choice.  What do other
people think?

Follow-Ups:
- Re: What to advertise when mandatory ciphers not implemented
  - From: Tim Hudson
- Re: What to advertise when mandatory ciphers not implemented
  - From: Paul Hoffman / IMC

Prev by Date: Re: URLs and TLS
Next by Date: Re: What to advertise when mandatory ciphers not implemented
Previous by thread: Upgrading to TLS Within HTTP
Next by thread: Re: What to advertise when mandatory ciphers not implemented
Index(es):
- Date
- Thread