-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dave, Andreas, I think this is the right path we are heading. David Snelling wrote:
Andreas,
I believe we should include some normative statements about cypher suites. I would suggest we pick one or possible two that are pretty universal and say the MUST be supported by the server side. Clients SHOULD use these. and both MAY us others, including ones not yet on the list.
I think this is overly restricted. While I agree that we should add a core set of cipher suites that MUST be supported, using MAY for the rest is too relaxing. I would have a SHOULD for them. Regarding cipher suites defining no encryption. We should still allow them as they serve important use cases, but we should not require implementations to support them. Regarding cipher suites that make use of weak methods. We should disallow them as they claim protection they actually do not provide, such as RSA export grade authentication, RC4 encryption, or MD2(?) message hashing. As a summary, we should add three sections to the profile and explain where we sourced the list of cipher suites from (was it the IETF? TLS specification?): a) A section with cipher suites that MUST be supported (strongest protection in all three aspects of a cipher suite) b) A section with Cipher suites that MUST NOT be supported c) A section stating that all the rest SHOULD be supported. We also should think of adding an expiry date to the profile to enable regular updates in case a security method is considered unsafe after the publication date of the profile (for example, SHA-1 was considered safe until very recently, but the discussions are still ongoing on this one). Thoughts? Cheers, Michel - -- Michel <dot> Drescher <at> uk <dot> fujitsu <dot> com Fujitsu Laboratories of Europe +44 20 8606 4834 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFI4lSk0lMZTNKw4QRAtfmAJ9EbckQJTp+zHcrU8UPJkXwpHISFwCgxq3e Or9OMLoGeMHPR9m/0lBx9Lw= =P8eA -----END PGP SIGNATURE-----