[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on Mandatory Ciphers and a Proposal

To: ietf-tls@xxxxxxxxxxxxx
Subject: Re: Comments on Mandatory Ciphers and a Proposal
From: tomw@xxxxxxxxxxxx (Tom Weinstein)
Date: Thu, 24 Jul 1997 06:22:35 -0700
Reply-to: <ietf-tls@xxxxxxxxxxxxx>

Keith Moore wrote:
> 
> > >         Mandatory to implement means that a protocol implementor MUST
> > > implement the mandatory portion of the specification. It does *NOT*
> > > require that end-users use that portion. In other words we are *not*
> > > demanding that all users of TLS use 3DES (or DES), we are just saying
> > > that implementers MUST give them the option to in compliant products.
> >
> > Which is exactly the problem.  If it's mandatory to implement, it gives
> > protocol designers no flexibility as to the encryption choices that are
> > right for their applications.
> 
> I don't think so.  The "MUST implement" ciphersuites are defaults, to
> be used with most protocols.  That doesn't meen that they're deemed
> adequate for all purposes, and a particular application that uses TLS
> might want to specify some other mandantory set of ciphersuites *for
> use with that application*.

That's not how I interpret what Jeff said.  His statement above seems
to indictate that any implementation that does not support MUST ciphers
IS NOT TLS.  Period.

> There will surely be uses of TLS for which 3DES isn't considered to be of
> sufficient strength, and there may even be uses of TLS for which DES40 is
> considered adequate.  So there's no problem with a particular application
> protocol using TLS as a component, and specifying its own mandantory
> ciphersuites, and we should expect this from time to time.
> 
> And yet, TLS should in most cases be a layer that can be reused and
> shared by different applications on the same platform.  So it does
> make sense to specify a mandantory ciphersuite set for TLS, and not
> only on a per-application basis.

So, what you're saying is that we say it's "MUST implement", but hey, if
you don't feel like, you're free not to.  Can I define my application as
"Tom's implementation of TLS" and say that for that "application" that
nothing is mandatory?  What exactly does "MUST implement" mean if it
doesn't mean that you must implement it?

This is why I think SHOULD is the right way to go.  Anything else is too
restrictive to be reasonable, and dilutes the integrity of the IETF
standardization process.

-- 
What is appropriate for the master is not appropriate| Tom Weinstein
for the novice.  You must understand Tao before      | tomw@xxxxxxxxxxxx
transcending structure.  -- The Tao of Programming   |

Prev by Date: Re: Comments on Mandatory Ciphers and a Proposal
Next by Date: Re: Comments on Mandatory Ciphers and a Proposal
Previous by thread: Re: Comments on Mandatory Ciphers and a Proposal
Next by thread: Re: Comments on Mandatory Ciphers and a Proposal
Index(es):
- Date
- Thread