[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] comment on null encryption ciphersuite; https RFC amendment ...to compensate

To: Peter Williams <home_pw@xxxxxxx>
Subject: Re: [TLS] comment on null encryption ciphersuite; https RFC amendment ...to compensate
From: EKR <ekr@xxxxxxxxxxxxxxxxxxxx>
Date: Sat, 18 Nov 2006 21:24:09 -0800
Cc: tls@xxxxxxxx
In-reply-to: <BAY103-W4B247A0EF49FF1A65AB8A92EE0@xxxxxxx> (Peter Williams's message of "Sat, 18 Nov 2006 18:12:38 -0800")
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <BAY103-W4B247A0EF49FF1A65AB8A92EE0@xxxxxxx>
Reply-to: EKR <ekr@xxxxxxxxxxxxxxxxxxxx>
User-agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix)

Peter,

This isn't an IAB issue. I suggest you raise it with the IESG:

iesg@xxxxxxxx

-Ekr

Peter Williams <home_pw@xxxxxxx> writes:
> I'm EXTREMELY worried socially about an IAB-endorsement of the null
> encryption ciphersuite for TLS. Whilst I recognize its value, on the
> stated merits, I think we need a political balance addressing issues
> beyond IETF's scope. Too many consumers are potentially going to be
> duped by the millions of well-meant but potentially incorrect
> e-commerce website representations which today affirm that "SSL
> protects your credit-card data (via encryption etc)". With the use
> of endorsed null encryption ciphersuites in TLS/SSL, that is
> obviously not true (in any way grandma would understand). The
> average consumer is trained to assume "SSL" (or TLS) protects your
> from obvious criminal activities, concerning pilfering credit card
> numbers.  IAB activities that destroy the brand name of SSL is
> something which is not worth the value of endorsing the
> null-encryption ciphersuite, in my own view.
>
> Perhaps the right balance for IAB/IESG is to to require that the
> https RFC be simultaneously modified so that it makes it
> NON-CONFORMING for SSL/TLS in the https context to ever use the null
> encryption ciphersuites. Other URL protocols can be registered with
> IANA that don't confuse consumers
> (e.g. httpnos://1.1.1.1.6.5.4.2.0.2.enum.att.com/), which can even
> behave exactly as https v.10 otherwise does, but allowing for a
> conforming use of the null-encryption cipher suite.
>  
> Peter
>  
>
>
> From: home_pw@xxxxxxxxx: tls@xxxxxxxxxxxxxxx: RE: [TLS] IETF67 TLS SummaryDate: Sat, 18 Nov 2006 09:53:44 -0800CC: 
> _________________________________________________________________
> Express yourself with gadgets on Windows Live Spaces
> http://discoverspaces.live.com?source=hmtag1&loc=us_______________________________________________
> TLS mailing list
> TLS@xxxxxxxxxxxxxx
> https://www1.ietf.org/mailman/listinfo/tls

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

References:
- [TLS] comment on null encryption ciphersuite; https RFC amendment ...to compensate
  - From: Peter Williams

Prev by Date: [TLS] comment on null encryption ciphersuite; https RFC amendment ...to compensate
Next by Date: RE: [TLS] comment on null encryption ciphersuite; https RFC amendment ...to compensate
Previous by thread: [TLS] comment on null encryption ciphersuite; https RFC amendment ...to compensate
Next by thread: RE: [TLS] comment on null encryption ciphersuite; https RFC amendment ...to compensate
Index(es):
- Date
- Thread