Re: [Uta] Review of draft-ietf-uta-tls-bcp-01

Sat, 19 Jul 2014 10:57:06 -0700 

Hi Panos,
We tried to focus on existing problematic uses, rather than including a long list of bad things that people MIGHT be doing, but mostly know better. This is why the most important negative recommendation is with regard to RC4, because it is heavily used in practice. If we are missing bad practices that are *widely used* today, please let us know. 


I'm not sure I understand your last two paragraphs, but if I do: we do 
not provide an extensive list of "good" cipher suites, because we also 
care about interoperability. If we included a long list of cipher 
suites, different people would implement different subsets, and we would 
end up with negotiation failures.


Thanks,
        Yaron

On 07/18/2014 05:22 PM, Panos Kampanakis (pkampana) wrote:

Hello,

I wanted to provide some thoughts and suggestions on
draft-ietf-uta-tls-bcp-01. Especially I am focusing on recommendations
on ciphersuites. Maybe focusing on specific ciphersuites is outside the
scope of this work, so it might not fit in this doc. If so please let me
know.

- Ephemeral vs Static DHE in TLS negotiation is not addressed in section
4.2. Static DH should be recommended to be avoided.

- _anon_ ciphersuites are not addressed. They should be avoided as well.

- MD5 is not addressed and not mentioned as avoided. Reference to
RFC6151o culd be added here.

- In general, the draft’s sections 3.4 and 3.5 make recommendations
about good ciphersuites and security levels and ciphersuites that are
“ok if there is no other options” like 1024 RSA, but it doesn’t address
which ciphersuites should be avoided, which are legacy to be used if no
other options are available.

I believe the “secure ciphersuites” can be “algorithmized” with the use
of a IANA table successfully to benefit the industry’s implementers.

I am not sure if the scope of this document is to address it or maybe
that should be a separate document and IANA table, but I wanted to bring
it to the author’s attention.

Regards,

Panos Kampanakis

Cisco Systems



_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta



_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta






















					Reply via email to