Andreas, I believe we should include some normative statements about cypher suites. I would suggest we pick one or possible two that are pretty universal and say the MUST be supported by the server side. Clients SHOULD use these. and both MAY us others, including ones not yet on the list. Thoughts? On 4 Oct 2006, at 03:18, Andreas Savva wrote:
The Security Profile - Secure Channel (Sep 28 draft) has a set of statements, which elaborate on the compliance statements, along the lines of "Ciphersuites listed in Table 3 in TLS-Guideline [TLS Guidelines] meet criteria of R0XXX." We discussed these statements last Thursday and it was stated that such statements are not intended to be normative. I took an action to rewrite the text to make it clearer that these are not normative statements.
The problem I have after looking at the text again (incl the compliance statements) and also looking at the WS-I BSP is that it does not help people wishing to implement the Secure Channel profile if these statements are not normative and if they do not describe concretely which suites should be used (or not). Saying 'do not use known insecure suites' or 'only use secure ones' are motherhood statements. In any case they are not really testable which is one point of compliance statements.
Also the WS-I BSP has some discussion and normative statements in sec.3.2 about TLS/SSL ciphersuites and since the Secure Channel states that it "extends the WS-I Basic Security Profile 1.0" I became unsure about the relation of the various compliance statements in the Secure Channel and the statements in the WS-I BSP is.
In short, sorry, can't do. I am not a security person... ;-)
Maybe we should discuss this issue again on the next call this Thursday. (Dave? Alan? Takuya? Frank!)
Andreas
-- ogsa-wg mailing list ogsa-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-wg
-- Take care: Dr. David Snelling < David . Snelling . UK . Fujitsu . com > Fujitsu Laboratories of Europe Hayes Park Central Hayes End Road Hayes, Middlesex UB4 8FE +44-208-606-4649 (Office) +44-208-606-4539 (Fax) +44-7768-807526 (Mobile)