RE: Comments on Mandatory Ciphers and a Proposal

[Dennis Glatting <dennis_glatting@xxxxxxxx>]

On Thursday, July 24, 1997 7:37 AM, David P. Kemp [SMTP:dpkemp@xxxxxxxxxxxxxx] wrote:
> > From: Ned Freed <Ned.Freed@xxxxxxxxxxxx>
> > 

	[snip]

> Assuming that reaching agreement between the IESG and the WG on option 2
> will be a protracted process, perhaps leading to stalemate, what do folks
> think about option 1? Although I strongly disagree with having MUST
> requirements at all, for the reasons previously discussed, I could live
> with them if they were explicitly separated from the TLS Technical Standard.
> 


I realize this won't be popular perspective but...

I am concerned about SHOULDs over MUSTs from an ethics perspective, rather 
than a technical one. We the technologists know where these TLS enhanced 
products are going: into the hands of clueless consumers. Therefore, I believe 
TLS is fundamentally different than much of the other IETF work. Without a set 
of MUSTs I question what "TLS compliant" means. Does it mean authentication 
maybe with or maybe without data integrity and confidentiality? If it does, I 
wonder (albeit sarcastically) what TLS really offers over other secure protocols, 
such as EKE or OTP.

What you propose leaves it to Netscape, Microsoft, and their ilk to determine 
what data integrity and confidentiality options will become standard for http, 
news, pop, and others. Netscape and Microsoft, though dominate SSL market 
forces, don't play well in the same sandbox and everyone else looses. (Look 
at the recent HTTP standard battle as one  example.) I believe  the consumer 
is looking to us standards technologists believing our results will provide 
interoperability. I do not believe SHOULDs or applicability statements forged 
from vendors who don't play well together will do that (feels like another 
IPsec WG--let's pass).


-dpg