[TLS] TLS abstract API (Re: The risk of misconfiguration)
Nico Williams <nico@cryptonector.com> Thu, 08 May 2014 01:33 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 688EC1A045E for <tls@ietfa.amsl.com>; Wed, 7 May 2014 18:33:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.044
X-Spam-Level:
X-Spam-Status: No, score=-1.044 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 702-RMz9sXs0 for <tls@ietfa.amsl.com>; Wed, 7 May 2014 18:33:38 -0700 (PDT)
Received: from homiemail-a16.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id A95F31A0455 for <tls@ietf.org>; Wed, 7 May 2014 18:33:38 -0700 (PDT)
Received: from homiemail-a16.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a16.g.dreamhost.com (Postfix) with ESMTP id 453AE508064 for <tls@ietf.org>; Wed, 7 May 2014 18:33:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:date:message-id:subject:from:to:cc:content-type; s= cryptonector.com; bh=Kd58+i59XPfI7lxVevR26XYPrRU=; b=t0zDXVyNVmO tdT6V0gs5CyDWyvLeKpYRuL/QgD/pGyeIGJEWRr0JMf5NH4HYAmRxeZcaqzc0tGy 2/Oypp6CVNcLCo5Ibg4Pdj/lZbobYx0xcgskxB6F8FtCh3gbi2T1g09DX+9w/A2j 1V+cxogO+2tqo55vGH0GfNKVFtwo/ht8=
Received: from mail-we0-f169.google.com (mail-we0-f169.google.com [74.125.82.169]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a16.g.dreamhost.com (Postfix) with ESMTPSA id EE521508072 for <tls@ietf.org>; Wed, 7 May 2014 18:33:33 -0700 (PDT)
Received: by mail-we0-f169.google.com with SMTP id u56so1845340wes.14 for <tls@ietf.org>; Wed, 07 May 2014 18:33:32 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.180.211.116 with SMTP id nb20mr872120wic.5.1399512812779; Wed, 07 May 2014 18:33:32 -0700 (PDT)
Received: by 10.216.29.200 with HTTP; Wed, 7 May 2014 18:33:32 -0700 (PDT)
Date: Wed, 07 May 2014 20:33:32 -0500
Message-ID: <CAK3OfOiAP6fWPeVtbE0OB4bbgp+wOUMXPY0RuAfnZF2j=vBMZw@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/4FP54o0LRRSAmdfYFgstKyJGKVU
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: [TLS] TLS abstract API (Re: The risk of misconfiguration)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 May 2014 01:33:39 -0000
On Wed, May 7, 2014 at 7:58 PM, Watson Ladd <watsonbladd@gmail.com> wrote: > On May 7, 2014 5:15 PM, "Viktor Dukhovni" <viktor1dane@dukhovni.org> wrote: >> The solution to avoid accidental use of NULL ciphers is in the >> client API, no client HELLO should ever include a mixture of NULL >> and non-NULL ciphers-suites. > > Why not make that a MUST in the RFC, and the same for anonymous DH? [...] No objection from me! HOWEVER, TLS is a protocol and does not come with a standard API, not even an abstract API. The most likely result will be a handful of requirements and recommendations for APIs, but nothing like an abstract API, or even a big picture. I've long been saying that lack of abstract APIs is a big problem for us. Protocols that lack APIs but would greatly benefit from having them: - IPsec (see Solaris' IP_SEC_OPT socket option) - PKIX (geez, PKIX naming is bloody painful; an API would help a lot) - TLS ('nuff said) - SASL (it has one, it's called Cyrus SASL, snark) - DNS[SEC] and many others. Not every protocol needs an API (e.g., SSHv2 doesn't, but then there are plenty of SSHv2 libraries now, so maybe it does). But TLS sure does need one. Nico --
- [TLS] TLS abstract API (Re: The risk of misconfig… Nico Williams