Re: [TLS] NULL cipher to become a MUST NOT in UTA BCP

Ralph Holz <holz@net.in.tum.de> Fri, 05 September 2014 15:10 UTC

Return-Path: <holz@net.in.tum.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2ABC61A071C for <tls@ietfa.amsl.com>; Fri, 5 Sep 2014 08:10:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.55
X-Spam-Level:
X-Spam-Status: No, score=-1.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RnJrTtVWjA1p for <tls@ietfa.amsl.com>; Fri, 5 Sep 2014 08:10:51 -0700 (PDT)
Received: from smtp.serverkommune.de (serverkommune.de [176.9.61.43]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53AB01A0713 for <tls@ietf.org>; Fri, 5 Sep 2014 08:10:51 -0700 (PDT)
Received: by smtp.serverkommune.de (Postfix, from userid 5001) id 77A6C80390; Fri, 5 Sep 2014 17:10:49 +0200 (CEST)
Received: from [131.159.20.131] (ex6.serverkommune.de [176.9.61.43]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.serverkommune.de (Postfix) with ESMTPSA id 9ADDC801FE for <tls@ietf.org>; Fri, 5 Sep 2014 17:10:48 +0200 (CEST)
Message-ID: <5409D278.5020504@net.in.tum.de>
Date: Fri, 05 Sep 2014 17:10:48 +0200
From: Ralph Holz <holz@net.in.tum.de>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0
MIME-Version: 1.0
To: tls@ietf.org
References: <54048985.1020005@net.in.tum.de> <20140902152308.GB14392@mournblade.imrryr.org> <5409C149.1090402@polarssl.org> <20140905141821.GA8893@LK-Perkele-VII> <D7368EBF-F1D6-4A5A-AC68-85E9219BE65A@ll.mit.edu>
In-Reply-To: <D7368EBF-F1D6-4A5A-AC68-85E9219BE65A@ll.mit.edu>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.98.1 at ex6
X-Virus-Status: Clean
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/BfMwFBr2Zld61h223D1nsyYIMWU
Subject: Re: [TLS] NULL cipher to become a MUST NOT in UTA BCP
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Sep 2014 15:10:53 -0000

Hi,

>>> What is much more reasonable is that initiators (clients) should 
>>> refuse to negotiate (should suppress any configured) NULL cipher 
>>> suites when any non NULL cipher suite is enabled.  This prevents 
>>> accidents, without breaking carefully considered NULL to NULL 
>>> deployments.
>>> 
>>> It leaves room for dual-purpose servers.
>> 
>> I am opposed to such a definition - I think it would a) be too hard
>> to describe the rationale and why it should apply b) lead to
>> insecure configurations because there is Yet Another Cornercase We
>> Didn't Think Of and c) is better caught with a refined purpose
>> statement/statement of applicability.

[...]

> As for “too hard to describe” - you don’t need to dive into rationale
> of “why the user may want to apply this protection, or disable that
> one”. Just clearly state in layman’s terms what a given protection -
> and its lack - would result in. Then there would be no corner cases.

I think such a description can be added as half a section/page. Would
you be willing to contribute it?

Ralph

-- 
Ralph Holz
I8 - Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
Phone +49.89.289.18043
PGP: A805 D19C E23E 6BBB E0C4  86DC 520E 0C83 69B0 03EF