[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on Mandatory Ciphers and a Proposal

To: Lewis McCarthy <lmccarth@xxxxxxxxxxxx>
Subject: Re: Comments on Mandatory Ciphers and a Proposal
From: Ned Freed <Ned.Freed@xxxxxxxxxxxx>
Date: Thu, 24 Jul 1997 12:07:59 -0700 (PDT)
Cc: Transport Layer Security List <ietf-tls@xxxxxxxxxxxxx>
Reply-to: <ietf-tls@xxxxxxxxxxxxx>

> > You write a document profiling the use of the
> > application protocol of your choice over TLS in some specific sort of
> > environment (tight code space requirements, limited processor power,
> > specialized hardware support for specific ciphers, requirements
> > imposed from outside the IETF that force certain cipher choices, etc.
> > etc. etc.)  and put it on the standards track. This document could
> > even go so far as to change all the ciphersuite MUSTs to MUST NOTs
> > and add a set of entirely new MUSTs if in fact
> > that was the appropriate thing to do.

> Would someone who created an application following this hypothetical
> RFC be "allowed" to describe their application as "TLS-compliant"?

Absolutely. This follows directly from the fact that TLS only specifies a set
of mandatory ciphersuites for applications which themselves have no mandatory
sets of their own. Note, however, that it would be clearer (and much grander
sounding ;-) to to say "our product fully conforms to the IETF standard TLS
profile for XXX applications". And be sure to throw in the RFC # -- I've seen
products compared on the basis of the number of RFCs they claim to support,
which no reference at all to the actual content of those RFCs!

The point is that nobody is going to get upset with you for having a bullet
item in your product brochure that fails to make clear the fairly obvious fact
that different TLS ciphersuites are needed by different applications. (In fact
I've done this sort of thing deliberately in product literature in the past
along with training of pre-sales people to try and suck prospective customers
into a technical discussion. Selling is much easier when the customer is awed
by your competence and knowledge ;-)

> I withdraw my objection if the answer is "yes", but I would find this
> rather surprising.

Actually, what is surprising here is that you think you can say "TLS compliant"
in the absence of a mandatory set of ciphersuites and have any meaning attach
to your statement. Saying that you are conformant to something that effectively
doesn't have conformance requirements which guarantee interoperability is
vacuous as far as a cusomter is concerned. And when your competition points
this out, and worse, proves it is true by citing another "equally compliant"
product that elected to implement a different set of ciphersuites that you did,
how are you going to rebut them effectively? Heck, all they have to do is point
out such a thing could in fact exist and they will have you on the defensive.

Now, you may argue that "TLS compliant" might prove to be effective marketing
hype even if it is vacuous in some sense. And I would probably agree. But
of course marketing hype isn't supposed to be what we're producing here.

				Ned

Prev by Date: RE: Comments on Mandatory Ciphers and a Proposal
Next by Date: Attack against handshake protocol
Previous by thread: RE: Comments on Mandatory Ciphers and a Proposal
Next by thread: Re: Comments on Mandatory Ciphers and a Proposal
Index(es):
- Date
- Thread