[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] comment on null encryption ciphersuite; https RFC amendment ...to compensate

To: Peter Williams <home_pw@xxxxxxx>
Subject: Re: [TLS] comment on null encryption ciphersuite; https RFC amendment ...to compensate
From: EKR <ekr@xxxxxxxxxxxxxxxxxxxx>
Date: Sun, 19 Nov 2006 14:06:29 -0800
Cc: tls@xxxxxxxx
In-reply-to: <BAY103-W425006445E9C98E58DDC792EE0@xxxxxxx> (Peter Williams's message of "Sun, 19 Nov 2006 13:45:53 -0800")
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <BAY103-W425006445E9C98E58DDC792EE0@xxxxxxx>
Reply-to: EKR <ekr@xxxxxxxxxxxxxxxxxxxx>
User-agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix)

Peter:

1. TLS has always included NULL cipher suites. They are in RFC 2246.
2. The IESG has already approved this document. It's in the 
   RFC Editor queue.
3. I think the current security considerations text is clear and 
   yours doesn't seem to to substantially improve matters.

-Ekr


Peter Williams <home_pw@xxxxxxx> writes:

> FINANCIAL DATA PROTECTION caveat , in INTEL null confidentiality scheme
> Im going to assume that Intel is only sponsoring this for "quality" PSK environments.. perhaps by supporting integration with TPM cores in Intel CPUs, which support external key fill, and thus support PSK by providing hardware-based external key management for TLS-PSK-based confidentiality services.
>  
> Perhaps, we can cut a deal. Change the text in the draft, security sections. 
>  
> There is a example disclaimer...which says something like "be advised: dont use this technique for sensitive information exchange. E.g. passwords". 
>  
> Change the example list to include specific financial account types: i) creditcard numbers, ii) bankaccount numbers, or iii) other Personal Identifying Financial Information
> As it stands, the goals of Intel as stated in the email (presumably addressing a few repressive regimes that want confidentiality - for any purpose - to be lowered to less than 40bit encryption (despite 40 bit encryption being shown even 10 years ago to be compromised in 3h, using a bit of brute-forcing commodity equipment!) ) is not compatible with the security section - which indicates that the technique is not appropriate for "sensitive information exchange". That incongruity aside, we can address my objection by listing - as inappropirate - those financial data -related account data types that I enumerate. 
>  
> Deal? 

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

References:
- RE: [TLS] comment on null encryption ciphersuite; https RFC amendment ...to compensate
  - From: Peter Williams

Prev by Date: RE: [TLS] comment on null encryption ciphersuite; https RFC amendment ...to compensate
Next by Date: milk route milligram-hour
Previous by thread: RE: [TLS] comment on null encryption ciphersuite; https RFC amendment ...to compensate
Next by thread: milk route milligram-hour
Index(es):
- Date
- Thread