The BCP only prohibits use of RC4 DES and 40bit crypto. As it stands now, use of 3DES is allowed as a "best" practice.
What I am suggesting is that we should correctly call out its use is really a minimal practice to distinguish it from other more worthy practices. The motivation is to form the basis for encouraging movement towards what really is a best practice in a form the application would be able to consume. From: Salz, Rich [mailto:[email protected]] Sent: Thursday, June 19, 2014 3:12 PM To: Trevor Freeman; [email protected] Subject: RE: What are the actual best practices in the TLS BCP I don't see where 3DES is recommended. Do you mean this: (even if they advertise more bits, such as the 168-bit 3DES cipher suites) Perhaps change it to "such as AES256" ? > There are many things in the TLS BCP which cannot really be construed as a > "best" practice since they are largely in there for interoperability. Reaching the widest possible audience is often an explicit goal and a trade-off against always being at the best security level. I think if you have some specific issues, it would be good to edit the rationale to say "only for interopability" or something like that. I think almost every section should have a rationale. For example, 3.5 could say "because it's at the wrong layer and has been the subject of security weaknesses" :) /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: [email protected]<mailto:[email protected]>; Twitter: RichSalz
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
