[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on Mandatory Ciphers and a Proposal

To: ietf-tls@xxxxxxxxxxxxx
Subject: Re: Comments on Mandatory Ciphers and a Proposal
From: Luis Valente <luis@xxxxxxxxx>
Date: Thu, 24 Jul 1997 09:56:14 -0700
Reply-to: <ietf-tls@xxxxxxxxxxxxx>

I apologize for not having participated earlier in this discussion, but I
would like to add my voice to the position expressed by Lewis McCarthy.

I have implemented SSL3 in a small footprint device (a set-top box).
Because of the limited code space available we can't afford to support a
large set of authentication and encryption schemes. For commercial and
pragmatic reasons we only support one authentication scheme (RSA) and one
data encryption scheme (RC4). This will likely carry into our TLS
implementation whenever we do that. Should TLS mandate support for
ciphersuites based on DSS, DES, etc. we would be left out in the cold with
a non-conformant TLS implementation.

Remember that, more often than not, small is beautiful... :)

/Luis
----------------------------------------------------------------------

Date: 23 Jul 1997 20:39:07 -0800
From: Lewis McCarthy <lmccarth@xxxxxxxxxxxx>
Subject: Re: Comments on Mandatory Ciphers and a Proposal

someone (attribution previously lost) wrote:
>>> Which is exactly the problem.  If it's mandatory to implement, it 
>>> gives protocol designers no flexibility as to the encryption choices 
>>> that are right for their applications.

Keith Moore writes:
> I don't think so.  The "MUST implement" ciphersuites are defaults, to
> be used with most protocols.  That doesn't meen that they're deemed
> adequate for all purposes, and a particular application that uses TLS
> might want to specify some other mandantory set of ciphersuites *for
> use with that application*.

Specifying any mandatory-to-implement ciphersuite does not allow the
designers of a higher-level protocol with stringent code space
requirements to implement _only_ one or two ciphersuites whose
implementation happens not to be mandated. As far as I understand the
previous official response from the IESG and the more recent informal
word from Jeff S., TLS-compliant applications could not specify a 
different set of mandatory-to-implement ciphersuites unless they
were to include all the base TLS mandatory-to-implement ciphersuites.

- -Lewis

Prev by Date: Re: Comments on Mandatory Ciphers and a Proposal
Next by Date: Re: Comments on Mandatory Ciphers and a Proposal
Previous by thread: Re: Comments on Mandatory Ciphers and a Proposal
Next by thread: Re: Comments on Mandatory Ciphers and a Proposal
Index(es):
- Date
- Thread