I've draft language stolen from HTTP/2 that just requires TLS 1.2 or higher. If people want more specific language on this (e.g. blacklisted cipher suites, MTI ciphers), please suggest it.
On Sun, Oct 29, 2017 at 1:05 AM Viktor Dukhovni <[email protected]> wrote: > > > > On Oct 28, 2017, at 4:32 PM, Hanno Böck <[email protected]> wrote: > > > > That's not how Bleichenbacher attacks work... (which you should know as > > a co-author of the drown paper.) > > You can safely drop the word "should"... > > > As it has been pointed out multiple > > times this attack works cross-protocol and cross-server, so the mere > > existence of a vulnerable TLS RSA implementaiton with the same cert is > > a risk. You don't need any downgrade attack for that. > > Yes, in the DROWN case the attack was a cross-protocol attack that > leveraged servers that exposed a certificate used with SSLv3+ (on > the same or some other server) via SSLv2. > > With SSLv2 out of the picture, which attacks from RFC7457 do see > as the motivation to set a floor higher than the TLS 1.2 MTI cipher > [ TLS_RSA_WITH_AES_128_CBC_SHA ] in SMTP? Sure, clients and servers > will typically negotiate other ciphers (PFS and AESGCM are quite > common, and perhaps more secure, barring GCM pitfalls and ECDHE > being broken by quantum computers any day now...). > > -- > Viktor. > > _______________________________________________ > Uta mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/uta >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
