On 11/26/14, 2:55 AM, Alexey Melnikov wrote:
Hi Peter,
On 26 Nov 2014, at 03:38, Peter Saint-Andre - &yet <[email protected]> wrote:
This document is not an application profile standard, in the sense of
Section 9 of [RFC5246]. As a result, clients and servers are still
REQUIRED to support the mandatory TLS cipher suite,
TLS_RSA_WITH_AES_128_CBC_SHA.
A BCP defining cipher suite recommendations should not have a higher
level of requirement for TLS_RSA_WITH_AES_128_CBC_SHA than it has for
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, at least. I think it is OK to just
say that the TLS specification was wrong to mandate
TLS_RSA_WITH_AES_128_CBC_SHA, or don't mention it at all.
I don't know if RFC 5246 was *wrong*, but the situation on the ground has
changed since 2008.
I was wondering about the above as well. I think your document is updating MTI
or at least narrowing down recommended choices, and CBC_SHA is not one of them.
So deleting the two sentences quoted above is the best.
And in fact the text currently says:
This document is not an application profile standard, in the sense of
Section 9 of [RFC5246]. As a result, clients and servers are still
REQUIRED to support the mandatory TLS cipher suite,
TLS_RSA_WITH_AES_128_CBC_SHA.
So I'd agree with Yaron here.
Peter
--
Peter Saint-Andre
https://andyet.com/
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
