Re: [TLS] Deployment ... Re: This working group has failed

Joshua Davies <joshua.davies.tx@gmail.com> Mon, 18 November 2013 22:40 UTC

Return-Path: <joshua.davies.tx@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45F491AE69D for <tls@ietfa.amsl.com>; Mon, 18 Nov 2013 14:40:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OGCpwU55Ewq6 for <tls@ietfa.amsl.com>; Mon, 18 Nov 2013 14:40:09 -0800 (PST)
Received: from mail-ob0-x230.google.com (mail-ob0-x230.google.com [IPv6:2607:f8b0:4003:c01::230]) by ietfa.amsl.com (Postfix) with ESMTP id 767481AE681 for <tls@ietf.org>; Mon, 18 Nov 2013 14:40:09 -0800 (PST)
Received: by mail-ob0-f176.google.com with SMTP id wp4so7772113obc.35 for <tls@ietf.org>; Mon, 18 Nov 2013 14:40:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=aGdwFE4UNDvMPM2KHMkeatZEC9VfokbtXWqdz+Jz1Ik=; b=ztgtsqh6UdPgMb2AyDosdx0cK3uOAuCutSQ4EZ98YKx1uO65ghivhuCEZjJ22IhsDH mppZjQaCoDTxsxMMn6zHUESXPXKBwXWw1B8oGVWS6NzSnddDX81PShgsaNIDVJsIlrzE rdvhPL/eBvVvFsBqomCRvNm3E6AnT5t9TiGWmPwcVyHwMDxKczrNMCBycMqxDNi7ilui HnoQTu/cpmwyL4Dbfg3QJQuhnML593vZIdNX72E4YH2dwQb5J08DhG8PEla17jMuSYr/ +jaRLtNzmP6fEiqaqVr1Hbmn2du1BuvZPJpB8coLVFCbvvNZkqK0ktX7VT+BO5rXP3Ph grZw==
MIME-Version: 1.0
X-Received: by 10.60.142.8 with SMTP id rs8mr22350468oeb.34.1384814403660; Mon, 18 Nov 2013 14:40:03 -0800 (PST)
Received: by 10.60.52.45 with HTTP; Mon, 18 Nov 2013 14:40:03 -0800 (PST)
In-Reply-To: <20131118223140.04D361AAB0@ld9781.wdf.sap.corp>
References: <20131118223140.04D361AAB0@ld9781.wdf.sap.corp>
Date: Mon, 18 Nov 2013 16:40:03 -0600
Message-ID: <CADwpFrA2cOHupieYN38onBQNNXvjeh0hg0hZgsMcLd-jBrFP_Q@mail.gmail.com>
From: Joshua Davies <joshua.davies.tx@gmail.com>
To: mrex@sap.com
Content-Type: multipart/alternative; boundary=047d7b33cd749c31dd04eb7b3a29
Cc: Michael Staubermann <Michael.Staubermann@webolution.de>, tls@ietf.org
Subject: Re: [TLS] Deployment ... Re: This working group has failed
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2013 22:40:11 -0000

> You are ware that TLSv1.2 (rfc5246 alone) is weaker than TLSv1.1(rfc4346)?

Really?  How so?  The only major difference (besides the new cipher suites
and modes and such) between TLS 1.1 and TLS 1.2 is the PRF - are you saying
that the TLS 1.1 PRF is stronger than SHA 256?  Has this been proven or is
that just conjecture?


On Mon, Nov 18, 2013 at 4:31 PM, Martin Rex <mrex@sap.com> wrote:

> Michael Staubermann wrote:
> > Martin Rex wrote:
> >
> >>
> >> Unfortunately, I've seen a new (government mandated) Web Service usage
> > scenario deployed in 2013 where the hardware SSL/TLS accellerater that is
> > being used is TLS version intolerant to TLSv1.1 and TLSv1.2.
> >
> > On the other hand we have the (government mandated) requirement to use
> TLS
> > 1.2 for governmental institutions:
> >
> >
> https://www.bsi.bund.de/DE/Presse/Kurzmitteilungen/Kurzmit2013/Mindeststandard_TLS_1_2_Web-Seiten_des_BSI_13112013.html
>
> That is a misunderstanding.
>
> This statement by the German BSI is a mere recommendation,
> it is _not_ mandatory to use TLSv1.2.
>
> You are ware that TLSv1.2 (rfc5246 alone) is weaker than TLSv1.1(rfc4346)?
>
>
> The Web Service of the Portugal fiscal authority that businesses have
> to submit certain data through a WebService _is_ mandatory.
>
> -Martin
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>