With no-hats, I'd be against this change. Adding a note that CCM is common in some hardware environments would be good though.
Delaying this to try to solve the unsolvable problem that we have CCM and GCM both deployed would be just as bad. So I'd say add a note that ciphersuite foo is the best one for environments where using CCM is needed would be ok. Picking a "foo" I'd suggest adding this to 4.2 maybe "There are some environments that have hardware support for AES-CCM but not AES-GCM. Where interoperability with such devices is needed, the TLS_ECDHE_ECDSA_WITH_AES_128_CCM ciphersuite is RECOMMENDED. There may also be niches where this kind of device cannot use that ciphersuite perhaps because they do not public key cryptography at all - this BCP does not cover those niches." If getting agreement on a foo here is too hard then I'd suggest instead adding a note somewhere that says: "There are some environments that have hardware support for AES-CCM but not AES-GCM. There may also be niches where this kind of device cannot use that ciphersuite perhaps because they do not public key cryptography at all - this BCP does not cover those niches." Cheers, S. On 16/11/14 12:57, Leif Johansson wrote: > > > > >> 16 nov 2014 kl. 01:51 skrev Hannes Tschofenig <[email protected]>: >> >> Here is a suggestion: > > Ok, this looks like a substantial change. We'll need explicit support to call > consensus on this one. > >> >> Title: "Recommendations for Secure Use of TLS in the Web" >> >> Abstract: >> >> Transport Layer Security (TLS) is widely used to protect data exchanged >> over application protocols such as HTTP, SMTP, IMAP, POP, SIP, and XMPP. >> Over the last few years, several serious attacks on TLS have emerged, >> including attacks on its most commonly used cipher suites and modes of >> operation. This document provides recommendations for improving the >> security of deployed services that use TLS. The recommendations are >> applicable to the majority of use cases. >> Recommendations for other environments, such as Internet of Things, XMPP >> and Email, can be found in other specifications. >> >> >>> On 11/14/2014 09:37 PM, Leif Johansson wrote: >>>> On 2014-11-14 20:57, Hannes Tschofenig wrote: >>>> I have a small request for "Recommendations for Secure Use of TLS >>>> and DTLS" <draft-ietf-uta-tls-bcp-07>: Could you please change the >>>> scope of the document so that it does not collide with the work we >>>> do in DICE. >>> >>>> Your recommendations, as stated in the abstract, focus on the >>>> Web/messaging/email space rather than the Internet of Things >>>> space. >>> >>> >>> Hannes, >>> >>> The document is in its second WGLC. If you want to suggest changes, >>> please provide concrete text. >>> >>> Cheers Leif >>> >>> >>> _______________________________________________ >>> Uta mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/uta >> >> _______________________________________________ >> Uta mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/uta > > _______________________________________________ > Uta mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/uta > > _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
