---- Original Message ----- From: "Miao Fuyou" <[EMAIL PROTECTED]> To: "'Rainer Gerhards'" <[EMAIL PROTECTED]>; "'tom.petch'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, November 27, 2006 7:58 AM Subject: RE: Ciphersuites Re: [Syslog] Updated Syslog-tls Document
> > Hi, > > It looks good. I tend to add some sentences like the one Rainer proposed. > Any objection? WFM Tom Petch > > Thanks, > Miao > > > -----Original Message----- > > From: Rainer Gerhards [mailto:[EMAIL PROTECTED] > > Sent: Friday, November 24, 2006 3:16 PM > > To: Miao Fuyou; tom.petch; [EMAIL PROTECTED] > > Subject: RE: Ciphersuites Re: [Syslog] Updated Syslog-tls Document > > > > Tom, Miao, > > > > might it be a compromise to add a sentence to -transport-tls > > that tells an implementor to look for mandatory to implement > > suites inside the TLS document. Something like > > > > "Minimum Interoperability between different implementations > > of this specification is achieved via the mandatory to > > implement cipher suites specified in <tls-rfc>." > > > > That would be a reminder that might be helpful. > > > > Rainer > > > > > -----Original Message----- > > > From: Miao Fuyou [mailto:[EMAIL PROTECTED] > > > Sent: Friday, November 24, 2006 4:04 AM > > > To: 'tom.petch'; Rainer Gerhards; [EMAIL PROTECTED] > > > Subject: RE: Ciphersuites Re: [Syslog] Updated Syslog-tls Document > > > > > > > > > My observation about ciphersuite: > > > 1, TLS wg can do a better job on ciphersuite selection than > > a profile > > > developer. > > > 2, TLS specification will be updated if the mandatory cipher is too > > > weak to provide appropriate protection, but > > profile-specific suite may > > > not be updated accordingly. > > > 3, Before TLS mandate a stronger cipher suite, > > > TLS_RSA_WITH_3DES_EDE_CBC_SHA is strong enough for most syslog > > > application. If a operator want a stronger cipher suite for highly > > > sensitive syslog application, he still has the freedom to > > specify one, > > > mandatory cipher suite is only MUST to implementer rather than > > > operator. > > > > > > So, my view is ciphersuite is not neccessary to be defined in this > > > specification, and it is not good to specify in this specification. > > > > > > Thanks, > > > Miao > > > > > > > > > > Tom and I discussed this issue on the mailing list. TLS > > > > protocol has > > > > > its mandatory suite (TLS_RSA_WITH_3DES_EDE_CBC_SHA), and TLS > > > > > specification says that if application > > profile(syslog-tls in this > > > > > case) does not specify a mandatory cipher suite, TLS > > > > mandatory suite > > > > > will apply. So, no need to specify one in this specification. > > > > > > > > Ahh... that was the message I did not find in the archive. > > > > Thanks for bringing it up again. That obiously solves the interop > > > > problem. However, I am still of the view that we should advise > > > > operators to use strong suites in the security considerations > > > > section. > > > > > > > > <tp> > > > > > > > > I raised it because I wanted a cipher suite spelt out in the I-D > > > > rather then leaving it as an exercise in ingenuity for > > the reader to > > > > find where it is specified. The pro and con of not > > specifying it in > > > > our I-D is that as the views in the security community > > change (and > > > > some would regard the default as too weak - eg US > > government) so the > > > > mandatory to implement is changed for us without us noticing. > > > > > > > > Tom Petch > > > > > > > > ___ > > > > > > > > > > > > > _______________________________________________ Syslog mailing list [email protected] https://www1.ietf.org/mailman/listinfo/syslog
