Re: [TLS] NULL cipher to become a MUST NOT in UTA BCP
Ralph Holz <holz@net.in.tum.de> Fri, 05 September 2014 15:10 UTC
Return-Path: <holz@net.in.tum.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2ABC61A071C for <tls@ietfa.amsl.com>; Fri, 5 Sep 2014 08:10:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.55
X-Spam-Level:
X-Spam-Status: No, score=-1.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RnJrTtVWjA1p for <tls@ietfa.amsl.com>; Fri, 5 Sep 2014 08:10:51 -0700 (PDT)
Received: from smtp.serverkommune.de (serverkommune.de [176.9.61.43]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53AB01A0713 for <tls@ietf.org>; Fri, 5 Sep 2014 08:10:51 -0700 (PDT)
Received: by smtp.serverkommune.de (Postfix, from userid 5001) id 77A6C80390; Fri, 5 Sep 2014 17:10:49 +0200 (CEST)
Received: from [131.159.20.131] (ex6.serverkommune.de [176.9.61.43]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.serverkommune.de (Postfix) with ESMTPSA id 9ADDC801FE for <tls@ietf.org>; Fri, 5 Sep 2014 17:10:48 +0200 (CEST)
Message-ID: <5409D278.5020504@net.in.tum.de>
Date: Fri, 05 Sep 2014 17:10:48 +0200
From: Ralph Holz <holz@net.in.tum.de>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0
MIME-Version: 1.0
To: tls@ietf.org
References: <54048985.1020005@net.in.tum.de> <20140902152308.GB14392@mournblade.imrryr.org> <5409C149.1090402@polarssl.org> <20140905141821.GA8893@LK-Perkele-VII> <D7368EBF-F1D6-4A5A-AC68-85E9219BE65A@ll.mit.edu>
In-Reply-To: <D7368EBF-F1D6-4A5A-AC68-85E9219BE65A@ll.mit.edu>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.98.1 at ex6
X-Virus-Status: Clean
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/BfMwFBr2Zld61h223D1nsyYIMWU
Subject: Re: [TLS] NULL cipher to become a MUST NOT in UTA BCP
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Sep 2014 15:10:53 -0000
Hi, >>> What is much more reasonable is that initiators (clients) should >>> refuse to negotiate (should suppress any configured) NULL cipher >>> suites when any non NULL cipher suite is enabled. This prevents >>> accidents, without breaking carefully considered NULL to NULL >>> deployments. >>> >>> It leaves room for dual-purpose servers. >> >> I am opposed to such a definition - I think it would a) be too hard >> to describe the rationale and why it should apply b) lead to >> insecure configurations because there is Yet Another Cornercase We >> Didn't Think Of and c) is better caught with a refined purpose >> statement/statement of applicability. [...] > As for “too hard to describe” - you don’t need to dive into rationale > of “why the user may want to apply this protection, or disable that > one”. Just clearly state in layman’s terms what a given protection - > and its lack - would result in. Then there would be no corner cases. I think such a description can be added as half a section/page. Would you be willing to contribute it? Ralph -- Ralph Holz I8 - Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ Phone +49.89.289.18043 PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF
- [TLS] NULL cipher to become a MUST NOT in UTA BCP Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Viktor Dukhovni
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Paul Hoffman
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Salz, Rich
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Viktor Dukhovni
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Viktor Dukhovni
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Viktor Dukhovni
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Paul Lambert
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Bodo Moeller
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Nico Williams
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Nikos Mavrogiannopoulos
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Yutaka OIWA
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Viktor Dukhovni
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Viktor Dukhovni
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Geoffrey Keating
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Nico Williams
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Nico Williams
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Nico Williams
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Yutaka OIWA
- [TLS] uta-tls-bcp-02 thoughts (was: NULL cipher t… Viktor Dukhovni
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Bodo Moeller
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Yutaka OIWA
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Nico Williams
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] uta-tls-bcp-02 thoughts (was: NULL ciph… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] uta-tls-bcp-02 thoughts (was: NULL ciph… Nico Williams
- Re: [TLS] uta-tls-bcp-02 thoughts (was: NULL ciph… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] uta-tls-bcp-02 thoughts Ralph Holz
- Re: [TLS] uta-tls-bcp-02 thoughts Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] uta-tls-bcp-02 thoughts Ralph Holz
- Re: [TLS] uta-tls-bcp-02 thoughts (was: NULL ciph… Barry Leiba
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Bill Frantz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Daniel Kahn Gillmor
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Bodo Moeller
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Manuel Pégourié-Gonnard
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Viktor Dukhovni
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Manuel Pégourié-Gonnard
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ilari Liusvaara
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Nico Williams
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Bodo Moeller
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Viktor Dukhovni