Re: [openssl.org #127] AES draft cipher suites
Lutz Jaenicke: I have already worked in the cipher selection routines yesterday with respect to PR#130. I will add an appropriate NOTDEFAULT selection keyword that will cover cipher suites not selected by default. As this is a new feature I intend to only add it to 0.9.7 (and later). Technically spoken we have two things: * ALL: all ciphers _except_ eNULL (no encryption is left out) * DEFAULT: ALL ciphers, then ADH is removed, then some sorting We would therefore have two classes of non-selected ciphers: * NODEFAULT: meaning effectively ADH in the moment * NOALL: meaning effectively eNULL in the moment Of course, this distinction is not necessarily clear unless you look up the realization of DEFAULT and ALL. Should I realize both classes? Actually it would make sense from the logical point of view and in the documentation I would propose to use something like RSA:NODEFAULT:NOALL to unselect the unwanted ciphers. I propose NOALL instead of NONE in order to reflect its logic interaction with the ALL keyword. The NO prefix in NODEFAULT and NOALL could be misleading. (Of course, NONE isn't any better.) COMPLEMENT_OF_ALL and COMPLEMENT_OF_DEFAULT is clearer. It is also longer, but it may be worth it. I don't particularly like the RSA:NODEFAULT:NOALL example because the NO... or COMPLEMENT_OF_... group aliases are not really useful for *enabling* ciphersuites (it can be done, but this is quite pointless). Their real purpose is *disabling* ciphersuites: RSA:!COMPLEMENT_OF_ALL or RC4:!COMPLEMENT_OF_DEFAULT will enable all RSA ciphersuites with the exception of the eNULL ciphersuites, and RC4:!COMPLEMENT_OF_DEFAULT will enable all non-anonymous RC4 ciphersuites. -- Bodo Möller [EMAIL PROTECTED] PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #127] AES draft cipher suites
Lutz Jaenicke: I have already worked in the cipher selection routines yesterday with respect to PR#130. I will add an appropriate NOTDEFAULT selection keyword that will cover cipher suites not selected by default. As this is a new feature I intend to only add it to 0.9.7 (and later). Technically spoken we have two things: * ALL: all ciphers _except_ eNULL (no encryption is left out) * DEFAULT: ALL ciphers, then ADH is removed, then some sorting We would therefore have two classes of non-selected ciphers: * NODEFAULT: meaning effectively ADH in the moment * NOALL: meaning effectively eNULL in the moment Of course, this distinction is not necessarily clear unless you look up the realization of DEFAULT and ALL. Should I realize both classes? Actually it would make sense from the logical point of view and in the documentation I would propose to use something like RSA:NODEFAULT:NOALL to unselect the unwanted ciphers. I propose NOALL instead of NONE in order to reflect its logic interaction with the ALL keyword. The NO prefix in NODEFAULT and NOALL could be misleading. (Of course, NONE isn't any better.) COMPLEMENT_OF_ALL and COMPLEMENT_OF_DEFAULT is clearer. It is also longer, but it may be worth it. I don't particularly like the RSA:NODEFAULT:NOALL example because the NO... or COMPLEMENT_OF_... group aliases are not really useful for *enabling* ciphersuites (it can be done, but this is quite pointless). Their real purpose is *disabling* ciphersuites: RSA:!COMPLEMENT_OF_ALL or RC4:!COMPLEMENT_OF_DEFAULT will enable all RSA ciphersuites with the exception of the eNULL ciphersuites, and RC4:!COMPLEMENT_OF_DEFAULT will enable all non-anonymous RC4 ciphersuites. -- Bodo Möller [EMAIL PROTECTED] PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #127] AES draft cipher suites
[bodo - Thu Jul 4 10:34:15 2002]: However, it would still be a good idea to create a NONE cipher suite group alias because it is useful in the other scenarios given in the problem description. I have already worked in the cipher selection routines yesterday with respect to PR#130. I will add an appropriate NOTDEFAULT selection keyword that will cover cipher suites not selected by default. As this is a new feature I intend to only add it to 0.9.7 (and later). Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #127] AES draft cipher suites
[jaenicke - Wed Jul 10 08:50:56 2002]: [bodo - Thu Jul 4 10:34:15 2002]: However, it would still be a good idea to create a NONE cipher suite group alias because it is useful in the other scenarios given in the problem description. I have already worked in the cipher selection routines yesterday with respect to PR#130. I will add an appropriate NOTDEFAULT selection keyword that will cover cipher suites not selected by default. As this is a new feature I intend to only add it to 0.9.7 (and later). Technically spoken we have two things: * ALL: all ciphers _except_ eNULL (no encryption is left out) * DEFAULT: ALL ciphers, then ADH is removed, then some sorting We would therefore have two classes of non-selected ciphers: * NODEFAULT: meaning effectively ADH in the moment * NOALL: meaning effectively eNULL in the moment Of course, this distinction is not necessarily clear unless you look up the realization of DEFAULT and ALL. Should I realize both classes? Actually it would make sense from the logical point of view and in the documentation I would propose to use something like RSA:NODEFAULT:NOALL to unselect the unwanted ciphers. I propose NOALL instead of NONE in order to reflect its logic interaction with the ALL keyword. Opinions? Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #127] AES draft cipher suites
RFC3268 makes the AES cipher suites official, so the AESdraft problem no longer exists. However, it would still be a good idea to create a NONE cipher suite group alias because it is useful in the other scenarios given in the problem description. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #127] AES draft cipher suites
While the AES cipher suites from draft-ietf-tls-ciphersuite-06.txt are disabled by default and not part of ALL (the AESdraft group alias can be used to enable them), they might be accidentily enabled by using cipher suite strings such as RSA. The reason for disabling them unless explicitly requested is that they are not yet official, so it may be a problem if seemingly innocuous strings such as RSA enable them. (Similarly, cipher suite strings such as DES will enable ADH cipher suites that are left out of ALL. But this is less of a problem because these cipher suites are official; they are not in ALL simply because usually anonymous connections are not desired.) A possible strategy is to define a new group alias for all those cipher suites that are not part of ALL, which could be called NONE (unless someone comes up with a more serious name for it). Then !NONE in a cihper suite string will disable all cipher suites that are not in ALL, i.e. RSA:!NONE would be RSA without AESdraft and __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]