On 11/16/14, 8:47 AM, Stephen Farrell wrote:
With no-hats, I'd be against this change.
Adding a note that CCM is common in some hardware environments
would be good though.
Delaying this to try to solve the unsolvable problem that we have
CCM and GCM both deployed would be just as bad. So I'd say add a note
that ciphersuite foo is the best one for environments where using
CCM is needed would be ok.
Picking a "foo" I'd suggest adding this to 4.2 maybe
"There are some environments that have hardware support for
AES-CCM but not AES-GCM. Where interoperability with such
devices is needed, the TLS_ECDHE_ECDSA_WITH_AES_128_CCM
ciphersuite is RECOMMENDED. There may also be niches where
this kind of device cannot use that ciphersuite perhaps
because they do not public key cryptography at all - this
BCP does not cover those niches."
I haven't seen substantive comments on this proposal.
If getting agreement on a foo here is too hard then I'd suggest
instead adding a note somewhere that says:
"There are some environments that have hardware support for
AES-CCM but not AES-GCM. There may also be niches where
this kind of device cannot use that ciphersuite perhaps
because they do not public key cryptography at all - this
BCP does not cover those niches."
Simplifying further, I suggest:
Some devices have hardware support for AES-CCM but not AES-GCM.
There are even devices that do not public key cryptography at all.
This BCP does not cover such devices.
Peter
--
Peter Saint-Andre
https://andyet.com/
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
