[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on Mandatory Ciphers and a Proposal

To: Transport Layer Security List <ietf-tls@xxxxxxxxxxxxx>
Subject: Re: Comments on Mandatory Ciphers and a Proposal
From: Lewis McCarthy <lmccarth@xxxxxxxxxxxx>
Date: Thu, 24 Jul 1997 18:05:42 -0400
Reply-to: <ietf-tls@xxxxxxxxxxxxx>

I wrote:
>>> Would someone who created an application following this hypothetical
>>> RFC be "allowed" to describe their application as "TLS-compliant"?

Ned Freed writes:
> Absolutely. This follows directly from the fact that TLS only 
> specifies a set of mandatory ciphersuites for applications which 
> themselves have no mandatory sets of their own. 

OK, great! Up until some recent messages from you & Keith Moore, it
was far from clear to me that that would be the case.

> Note, however, that it would be clearer (and much grander
> sounding ;-) to to say "our product fully conforms to the IETF 
> standard TLS profile for XXX applications". 

I completely agree with this. Most of the preceding discussion on the
list in favor of mandatory-to-implement ciphersuites appeared to rule
out the possibility of this kind of statement.

[...]
> Actually, what is surprising here is that you think you can say "TLS 
> compliant" in the absence of a mandatory set of ciphersuites and have 
> any meaning attach to your statement. 

Wow, that's remarkably dismissive of several dozen pages of protocol
specification! Speaking as someone interested in designing and
analyzing security protocols, I find it very meaningful to say "we've
implemented the TLS protocol" rather than claiming to have implemented
any one of dozens of alternative protocols with security flaws. 

[...]
> Now, you may argue that "TLS compliant" might prove to be effective 
> marketing hype even if it is vacuous in some sense. And I would 
> probably agree. But of course marketing hype isn't supposed to be what 
> we're producing here.

Just to be clear, I'm not currently employed by any organization that
sells or markets anything. Frankly I don't care whether it makes for
a good marketing spiel or not. I consider "TLS compliant" to be a
technically significant claim. To be sure, it would be more significant
also to mention the key exchange algorithms, ciphers, hashes, etc.
that were available for use with TLS in a specific implementation.
Both parts of the claim are important.

At any rate, I think we are in violent agreement on the practical
issues at hand, given that recommended-to-implement TLS ciphersuites 
seem to be a lost cause.

Regards,
-Lewis

Prev by Date: Re: Attack against handshake protocol
Next by Date: Re: Comments on Mandatory Ciphers and a Proposal
Previous by thread: Re: Comments on Mandatory Ciphers and a Proposal
Next by thread: Re: Comments on Mandatory Ciphers and a Proposal
Index(es):
- Date
- Thread