I know everyone will not agree with a positions. There is still a lot of folks out there who believe Neil Armstrong never left a sound stage in California,
We did not have a credibility problem with Heart bleed so why is this different? -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Wednesday, May 07, 2014 10:14 AM To: Trevor Freeman Cc: [email protected] Subject: Re: [perpass] Delivering TLS Best Practices Below: On 5/7/2014 10:09 AM, Trevor Freeman wrote: > We know we need to provide better guidance for the use of TLS with > applications. We have a draft BCP in the works which is goodness. > > I was just looking at the TLS deployment statistics. > > https://www.trustworthyinternet.org/ssl-pulse/ > > A (hopefully) large % of the TLS code base has just been updated > because of a vulnerability. However the number of sites supporting TLS > v1.2 has barley increased over the past month. I know some folks may be somewhat skeptical of NIST Guidelines in the aftermath of the Dual_EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) "issue" involving NIST [1], but these guidelines are worth reviewing. FYI, - ferg [1] https://en.wikipedia.org/wiki/Dual_EC_DRBG#Software_and_hardware_which_contained_the_possible_backdoor -------- Original Message -------- Subject: NIST Announced the Release of Special Publication (SP) 800-52 Revision 1, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations Date: Wed, 07 May 2014 11:23:29 -0500 From: NIST Computer Security Resource Center <[email protected]> Reply-To: [email protected] NIST Announced the Release of Special Publication (SP) 800-52 Revision 1, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations *NIST Announced the Release of Special Publication (SP) 800-52 Revision 1, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations* To view the full announcement of SP 800-52 Revision 1 release on the CSRC News page: http://csrc.nist.gov/news_events/#apr29 <http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTQwNTA3LjMxOTY2MzExJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE0MDUwNy4zMTk2NjMxMSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE2ODcyODE4JmVtYWlsaWQ9ZmVyZ2Rhd2dzdGVyQG15a29sYWIuY29tJnVzZXJpZD1mZXJnZGF3Z3N0ZXJAbXlrb2xhYi5jb20mZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&100&&&http://csrc.nist.gov/news_events/#apr29> Link to the SP 800-52 Revision 1 document (NIST's Library website): http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf <http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTQwNTA3LjMxOTY2MzExJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE0MDUwNy4zMTk2NjMxMSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE2ODcyODE4JmVtYWlsaWQ9ZmVyZ2Rhd2dzdGVyQG15a29sYWIuY29tJnVzZXJpZD1mZXJnZGF3Z3N0ZXJAbXlrb2xhYi5jb20mZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&101&&&http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf> SP 800-52 Rev. 1 can be found on the CSRC Special Publications page at (this link should be used as a bookmark if needed): http://csrc.nist.gov/publications/PubsSPs.html#800-52 <http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTQwNTA3LjMxOTY2MzExJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE0MDUwNy4zMTk2NjMxMSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE2ODcyODE4JmVtYWlsaWQ9ZmVyZ2Rhd2dzdGVyQG15a29sYWIuY29tJnVzZXJpZD1mZXJnZGF3Z3N0ZXJAbXlrb2xhYi5jb20mZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&102&&&http://csrc.nist.gov/publications/PubsSPs.html#800-52> Pat O'Reilly NIST Computer Security Division [email protected] (Attn: Pat O'Reilly) [end] -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
