On Wednesday, March 30, 2016 03:20:08 pm Ilari Liusvaara wrote: > On Wed, Mar 30, 2016 at 12:05:26PM -0400, Daniel Kahn Gillmor wrote: > > On Wed 2016-03-30 11:33:09 -0400, Benjamin Kaduk wrote: > > > I am not sure that we want to be in the business of explicitly marking > > > things as insecure other than our own RFCs, though -- there could be an > > > implication of more review than is actually the case, which is what this > > > proposal is trying to get rid of. > > > > I think i agree with Ben here: if we have a tri-state: > > approved/not-approved/known-bad, then the people will infer that the > > not-approved ciphersuites are better than the known-bad ones, which > > isn't necessarily the case. > > > > I think i'd rather see it stay at "approved/not-approved" > > Then how should ciphersuites with explicit diediedie RFCs (currently > RC4) be presented?
A tri-state that might be more acceptable would be approved/not-approved/amended, where "amended" indicates an RFC released after the initial specification that is considered mandatory. This would be both diediedie RFCs as well as any sort of less severe update, without as much implication that "not-approved" automatically implies safety. Dave _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
