[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Security today

To: "tls@xxxxxxxx" <tls@xxxxxxxx>
Subject: Re: [TLS] Security today
From: Rodney Thayer <rodney@xxxxxxxxxxxxxxxx>
Date: Fri, 28 Mar 2008 09:32:27 -0800
Delivered-to: tls@xxxxxxxxxxxxxx
In-reply-to: <47EC57A2.4030109@xxxxxxxxx>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <47EC2A75.2050303@xxxxxxxxx> <0685A6ED2CB5D245B49DD0B07C3636CC2A8D543BC7@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <47EC57A2.4030109@xxxxxxxxx>
Sender: tls-bounces@xxxxxxxx
User-agent: Thunderbird 2.0.0.12 (Windows/20080213)

Mike wrote:

> P.S. and there's nothing you or I can do about it as a
> user -- we can't influence the key sizes or cipher suites
> offered by a server -- it's either take it or leave it.

(In a struggle to bring the thread back to tls-relevance...)

in theory you're supposed to look at the cert and it's cps
(which is referenced in a field in the cert in the payload
in the TLS protocol...) and the ciphersuite selection and
refuse to connect.

In other words, the protocol supports you deciding to
not interact with the server.

If your wireless service vendor uses 40 bit rc-4 and
an expired 1024 bit cert then one could reasonably
ask why you trust them ;-)

Since many of these TLS connections are being used
by trading partner users you CAN do something about it -
you can act like a trading partner and refrain from
doing business with people who run sloppy servers.
_______________________________________________
TLS mailing list
TLS@xxxxxxxx
https://www.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Security today
  - From: Mike

References:
- [TLS] Security today
  - From: Mike
- Re: [TLS] Security today
  - From: Michael Howard
- Re: [TLS] Security today
  - From: Mike

Prev by Date: [TLS] Next steps for Client Certificate URL
Next by Date: Re: [TLS] Next steps for Client Certificate URL
Previous by thread: Re: [TLS] Security today
Next by thread: Re: [TLS] Security today
Index(es):
- Date
- Thread