[ogsa-wg] secure channel profile explanatory ciphersuite statements
Michel Drescher
Michel.Drescher at uk.fujitsu.com
Wed Oct 4 05:13:40 CDT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dave, Andreas,
I think this is the right path we are heading.
David Snelling wrote:
> Andreas,
>
> I believe we should include some normative statements about cypher
> suites. I would suggest we pick one or possible two that are pretty
> universal and say the MUST be supported by the server side. Clients
> SHOULD use these. and both MAY us others, including ones not yet on
> the list.
I think this is overly restricted. While I agree that we should add a
core set of cipher suites that MUST be supported, using MAY for the rest
is too relaxing. I would have a SHOULD for them.
Regarding cipher suites defining no encryption. We should still allow
them as they serve important use cases, but we should not require
implementations to support them.
Regarding cipher suites that make use of weak methods. We should
disallow them as they claim protection they actually do not provide,
such as RSA export grade authentication, RC4 encryption, or MD2(?)
message hashing.
As a summary, we should add three sections to the profile and explain
where we sourced the list of cipher suites from (was it the IETF? TLS
specification?):
a) A section with cipher suites that MUST be supported (strongest
protection in all three aspects of a cipher suite)
b) A section with Cipher suites that MUST NOT be supported
c) A section stating that all the rest SHOULD be supported.
We also should think of adding an expiry date to the profile to enable
regular updates in case a security method is considered unsafe after the
publication date of the profile (for example, SHA-1 was considered safe
until very recently, but the discussions are still ongoing on this one).
Thoughts?
Cheers,
Michel
- --
Michel <dot> Drescher <at> uk <dot> fujitsu <dot> com
Fujitsu Laboratories of Europe
+44 20 8606 4834
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFI4lSk0lMZTNKw4QRAtfmAJ9EbckQJTp+zHcrU8UPJkXwpHISFwCgxq3e
Or9OMLoGeMHPR9m/0lBx9Lw=
=P8eA
-----END PGP SIGNATURE-----
More information about the ogsa-wg
mailing list