Re: Comments on Mandatory Ciphers and a Proposal

[Keith Moore <moore@xxxxxxxxxx>]

> At 5:51 PM -0700 7/24/97, Keith Moore wrote:
> >> Applications have to be able to
> >> say that they are "conformant" to the TLS protocol even when they provide
> >> the result "we can't agree on a mutual security requirement". (Which, BTW,
> >> I think means they are sufficiently interoperable.)
> >
> >If a customer buys a POP+TLS client from one vendor and a POP+TLS
> >server from another vendor, and they won't talk to each other because
> >they don't each support a TLS ciphersuites of sufficient
> >strength... somehow I doubt he would agree that they are sufficiently
> >interoperable.
> 
> However, your example in this arguement is bad -- I believe that POP+TLS
> should be define a ciphersuite requirement. I am only saying that TLS, bare
> of any protocol (i.e. not very useful by itself) should not define any
> ciphersuite requirements other than SHOULD recommendations that the
> POP+TLS/SMTP+TLS/HTTP+TLS may decide to make MUSTs.

The problem is that it's so easy to combine TLS with any protocol that
uses a single TCP stream, that people will do it in the absence of any
external specification.  We've seen this several times already with
SSL.  Of course, this is a "feature", and in most respects it's a nice
one.

But vendors don't want to wait on a specification, they want to ship
product ASAP...ideally, before their competitors do.  So they'll ship
FOO with TLS before there's a specification for doing so.  And their
marketers will claim compliance with TLS.  And the customers will buy
FOO clients and servers that claim compliance with TLS and find that
they don't interoperate at all, or the implementations won't
interoperate with adequate levels of security.

So we need to define what "compliance with TLS" means, including
mandantory ciphersuites that are adequate for most purposes.

Keith