Hi UTA, Ralph Holz wrote: > Good day, > > I have solicited some feedback on the wording in 4.1, the MUST NOT on > selecting the NULL cipher. I have feedback from members of the TLS WG, > and from operators of Grid centres. My fear was that MUST NOTing the > NULL cipher in the BCP may lead implementers to drop it entirely. I have > a suggested new wording, with a new note, that I think would resolve this: > > "Deployments of TLS to secure application-layer protocols MUST NOT > negotiate the NULL cipher. > > Note: TLS implementations MAY retain code for the NULL cipher to allow > specialised purposes like debugging, custom solutions, etc." > > That will make it clear that implementers are free to retain NULL (and > they will), but that the purpose of the BCP is to propose secure TLS > configurations to protect application-layer protocols, and for those no > deployment should ever negotiate NULL. > > > > As for the feedback - it seemed to be divided into two categories: > > 1) Kill off the NULL cipher for all deployments. +1 > > The operators of Grid centres did have some very good use cases > concerning a) - namely European centres having dedicated authentication > mechanisms that rely on code in e.g. OpenSSL to provide exactly this > NULL cipher (but MAC-ed). I can forward their exact use case if there is > interest here. They did emphasise, however, that speed of encryption is > no longer a concern for them. Disclaimer: for the last 2.5 years I've - also - been working and consulting in HPC/grid computing.
While it is true that you might want to use the NULL cipher for performance reasons, in this particular field it is also true that it's extremely common that custom developed tools (or tools that intentionally defy standards) are used for pure performance reasons (see HPN-SSH). If this is the only valid point that came up on tls@ I think we can safely ignore it. HPC and Grid sites/engineers will in any case opt to change and tune software according to their needs not IETF BCPs. Aaron
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
