[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Comments on TLS identity protection

To: Peter Williams <home_pw@xxxxxxx>
Subject: Re: [TLS] Comments on TLS identity protection
From: Eric Rescorla <ekr@xxxxxxxxxxxxxxxxxxxx>
Date: Tue, 19 Dec 2006 16:46:21 -0800
Cc: tls@xxxxxxxx
In-reply-to: <BAY103-W5869507984F7F64B2DE4292CF0@xxxxxxx> (Peter Williams's message of "Tue, 19 Dec 2006 16:34:12 -0800")
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <BAY103-W5869507984F7F64B2DE4292CF0@xxxxxxx>
Reply-to: EKR <ekr@xxxxxxxxxxxxxxxxxxxx>
User-agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix)

Peter Williams <home_pw@xxxxxxx> writes:
> Id say the nth handshake can select to send "no server cert" whenever its 
> cooperating to complete an anonymous-ciphersuite-targeted handshake.
> So, assume there are only two ciphers suite values in the HSM : RSA, RSA-ANON. 

There is no such thing as RSA anon in SSLv3 or TLS. 

> Now, I'm delighted to be corrected on this, in theory or  actual practice in 
> commodity internet products. TLS's 1.0 "minor" changes to  SSLv3 are still 
> new to me. I never bothered to read the TLS 1.0 
> document carefully enough before, thus failing to recognize the notions 
> of anon-ciphersuites, export-controlled key agreement , and its new fatal 
> exception modes.

Huh? Nearly all of this stuff was in SSLv3--I don't know what "new
fatal exception modes" are but fatal exceptions were totall in
SLv3.

> Im going to read TLS 1.1 much more carefully tomorrow. Ill try
> to backtrack any new control policy developments through TLS1.0
> and back to SSL3. Im half hoping IETF already dumped RSA_EXPORT
> as arcane, or at least increased the key length after 6 years!

TLS 1.1 forbids negotiating the RSA_EXPORT cipher suites. See
A.5 of RFC 4346:

   When SSLv3 and TLS 1.0 were designed, the United States restricted
   the export of cryptographic software containing certain strong
   encryption algorithms.  A series of cipher suites were designed to
   operate at reduced key lengths in order to comply with those
   regulations.  Due to advances in computer performance, these
   algorithms are now unacceptably weak, and export restrictions have
   since been loosened.  TLS 1.1 implementations MUST NOT negotiate
   these cipher suites in TLS 1.1 mode.  However, for backward
   compatibility they may be offered in the ClientHello for use with TLS

   <page break>

   1.0 or SSLv3-only servers.  TLS 1.1 clients MUST check that the
   server did not choose one of these cipher suites during the
   handshake.  These ciphersuites are listed below for informational
   purposes and to reserve the numbers.

-Ekr

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

References:
- RE: [TLS] Comments on TLS identity protection
  - From: Peter Williams

Prev by Date: RE: [TLS] Comments on TLS identity protection
Next by Date: [TLS] duplication session with GSSAPI PRF
Previous by thread: RE: [TLS] Comments on TLS identity protection
Next by thread: [TLS] Please discuss: draft-housley-evidence-extns-00
Index(es):
- Date
- Thread