Re: [Dime] RFC3588bis cipher suite question
jouni korhonen <jouni.nospam@gmail.com> Fri, 20 July 2012 13:11 UTC
Return-Path: <jouni.nospam@gmail.com>
X-Original-To: dime@ietfa.amsl.com
Delivered-To: dime@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB38E21F85E4 for <dime@ietfa.amsl.com>; Fri, 20 Jul 2012 06:11:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZpMGDQ--C3qg for <dime@ietfa.amsl.com>; Fri, 20 Jul 2012 06:10:59 -0700 (PDT)
Received: from mail-wg0-f44.google.com (mail-wg0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id E8FDB21F85E1 for <dime@ietf.org>; Fri, 20 Jul 2012 06:10:58 -0700 (PDT)
Received: by wgbdr13 with SMTP id dr13so2564137wgb.13 for <dime@ietf.org>; Fri, 20 Jul 2012 06:11:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; bh=pzoiezzjtzI1/ofM3olGRE2dLk8wXkcuAKQX/CbXeLs=; b=Sp58NmPF513BKU7M1tF2r2GNdlCNW+6w/eU2nz0pzzzjnsyutP34azzx/1oyYshafW MIA5Y+4Udq4xo07VvyZw4iJEfBuHi5MFXddiuBBo5MueHeBq6jpyXGPb2fN0hkqhtWmx ndh4F+/CwHvzn6L8Z7ban1L3fcf403jTsKu6+wwt5bb+GoK6LBYaDwFKvNqwcGs+2g1k CrdNv2tvD0Ev+V9Ox9WeoDlRxAGrHrRm6sOBbjs64UCaOFnDWBez8de+6qg3Vm/dNzLX yjVwo9DIaO/cZpn0NzoFFTZpbfYMn0OCveWXzVnzArSjhYVQMO6S5hEdr0k+bpwF+n0y /nIg==
Received: by 10.217.4.139 with SMTP id u11mr3562241wes.190.1342789912443; Fri, 20 Jul 2012 06:11:52 -0700 (PDT)
Received: from ?IPv6:2001:1bc8:101:f101:226:bbff:fe18:6e9c? ([2001:1bc8:101:f101:226:bbff:fe18:6e9c]) by mx.google.com with ESMTPS id i46sm14355301eem.0.2012.07.20.06.11.43 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 20 Jul 2012 06:11:50 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: jouni korhonen <jouni.nospam@gmail.com>
In-Reply-To: <1BDC22A3-83B9-491D-A8AA-CF9CD718265A@iki.fi>
Date: Fri, 20 Jul 2012 16:11:40 +0300
Content-Transfer-Encoding: 7bit
Message-Id: <277A4FAB-3934-4DE4-BC39-650296C30385@gmail.com>
References: <1BDC22A3-83B9-491D-A8AA-CF9CD718265A@iki.fi>
To: dime@ietf.org
X-Mailer: Apple Mail (2.1084)
Subject: Re: [Dime] RFC3588bis cipher suite question
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dime>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jul 2012 13:11:06 -0000
Any comments/views on this? - Jouni On Jun 21, 2012, at 2:17 PM, jouni korhonen wrote: > Folks, > > In Section 13.1 we have the following text: > > Diameter nodes MUST be able to negotiate the following TLS/TCP and > DTLS/SCTP cipher suites: > > TLS_RSA_WITH_RC4_128_MD5 > TLS_RSA_WITH_RC4_128_SHA > TLS_RSA_WITH_3DES_EDE_CBC_SHA > > Diameter nodes SHOULD be able to negotiate the following TLS/TCP and > DTLS/SCTP cipher suite: > > TLS_RSA_WITH_AES_128_CBC_SHA > > Note that that it is quite possible that support for the > TLS_RSA_WITH_AES_128_CBC_SHA ciphersuite will be REQUIRED at some > future date. Diameter nodes MAY negotiate other TLS/TCP and DTLS/ > SCTP cipher suites. > > I know this is a bit late in the pipe but.. but RFC6347 (DTLS v1.2) has > the following statement: > > The only stream cipher described in TLS 1.2 is RC4, which cannot be > randomly accessed. RC4 MUST NOT be used with DTLS. > > That does not go too well with the RFC3588bis MUST for RC4 stream ciphers. > > Also RFC5246 states: > > In the absence of an application profile standard specifying > otherwise, a TLS-compliant application MUST implement the cipher > suite TLS_RSA_WITH_AES_128_CBC_SHA.. > > Can we understand that the current text in RFC3588bis serves as the > profile and the SHOULD there is then OK from the RFC5246 point of > view? > > - Jouni > _______________________________________________ > DiME mailing list > DiME@ietf.org > https://www.ietf.org/mailman/listinfo/dime
- [Dime] RFC3588bis cipher suite question jouni korhonen
- Re: [Dime] RFC3588bis cipher suite question Glen Zorn
- Re: [Dime] RFC3588bis cipher suite question jouni korhonen