Re: Comments on Mandatory Ciphers and a Proposal

[Lewis McCarthy <lmccarth@xxxxxxxxxxxx>]

Ned Freed writes:
> You write a document profiling the use of the
> application protocol of your choice over TLS in some specific sort of
> environment (tight code space requirements, limited processor power,
> specialized hardware support for specific ciphers, requirements 
> imposed from outside the IETF that force certain cipher choices, etc. 
> etc. etc.)  and put it on the standards track. This document could 
> even go so far as to change all the ciphersuite MUSTs to MUST NOTs 
> and add a set of entirely new MUSTs if in fact
> that was the appropriate thing to do. 

Would someone who created an application following this hypothetical
RFC be "allowed" to describe their application as "TLS-compliant"?
I withdraw my objection if the answer is "yes", but I would find this
rather surprising.

[...much elided...]

I wrote:
>>> As far as I understand the
>>> previous official response from the IESG and the more recent 
>>> informal word from Jeff S., TLS-compliant applications could not 
>>> specify a different set of mandatory-to-implement ciphersuites 
>>> unless they were to include all the base TLS mandatory-to-implement 
>>> ciphersuites.

Ned Freed:
> Well, Keith Moore is an application area co-director and hence on the 
> IESG, and he just said the exact opposite of this. 

Unfortunately I did not know that Keith Moore is an AD, and IIRC he did 
not indicate in his message that he was speaking as such. (I intend no
disrespect to anyone.) Thanks for letting me know.

-Lewis