IETF Logo Mail Archive

Re: [TLS] TLS Provfiles (Was: Call for consensus to remove anonymous DH)

Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 16 September 2015 11:19 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0F2C1A8999 for <tls@ietfa.amsl.com>; Wed, 16 Sep 2015 04:19:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.071
X-Spam-Level:
X-Spam-Status: No, score=0.071 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FRT_PROFILE2=1.981, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JxpBh8S8F0Ur for <tls@ietfa.amsl.com>; Wed, 16 Sep 2015 04:18:59 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 750E51A897E for <tls@ietf.org>; Wed, 16 Sep 2015 04:18:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1442402339; x=1473938339; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=jPgcWKMCQqcTvFx+o3k/cV7YiLUyo2VY0nJK45iqJ5M=; b=jBjf1beERzlt22ffUmbd7/eUWNduwM9TjeKQoMjLVVKadbBFYAR5QxfI o1LvfeFNZfOWJiK5sXNJMUu/XXCo6CiG1MAHsUPbsCC72CgPu6bzijzHN rPsZJKnXsBM6DGdprSPBOSRin2kA0gx+nMUsdOxjEm7eBPcA9yGtgRTm9 c/KJlyZ5r+Ygnnhck9BCWpILGgTAw6JKYOPQUGVNSZq8pCmNknH9evIkr W7THOucK5PuSodsZByUdODmjUpE5bEqGp6sN17EFdKD3Zwk6LcXJVlokw nFGYy1Fnwbz4obtJWR8Wmb4Hz8Hwc/JCA5zhwQIxCG+woZBw/ZgYMtX7R g==;
X-IronPort-AV: E=Sophos;i="5.17,538,1437393600"; d="scan'208";a="41934239"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.125 - Outgoing - Outgoing
Received: from exchangemx.uoa.auckland.ac.nz (HELO uxchange10-fe3.UoA.auckland.ac.nz) ([130.216.4.125]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 16 Sep 2015 23:18:57 +1200
Received: from UXCN10-TDC05.UoA.auckland.ac.nz ([169.254.9.47]) by uxchange10-fe3.UoA.auckland.ac.nz ([169.254.143.234]) with mapi id 14.03.0174.001; Wed, 16 Sep 2015 23:18:57 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "noloader@gmail.com" <noloader@gmail.com>, Tony Arcieri <bascule@gmail.com>
Thread-Topic: [TLS] TLS Provfiles (Was: Call for consensus to remove anonymous DH)
Thread-Index: AQHQ8FFq13KcVZ89fEGkcyYs2GLTPZ4+0CRR//8+EACAAPO8Yw==
Date: Wed, 16 Sep 2015 11:18:56 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73F4B0723C@uxcn10-tdc05.UoA.auckland.ac.nz>
References: <CAH8yC8=eHzQPL6cROVK4Pm0V2FSYTL7C7csLG7p49W5LEmfo=Q@mail.gmail.com> <9A043F3CF02CD34C8E74AC1594475C73F4B070E6@uxcn10-tdc05.UoA.auckland.ac.nz>, <55F92C1A.9060703@cs.tcd.ie>
In-Reply-To: <55F92C1A.9060703@cs.tcd.ie>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/F_BEWbWcdvk8t5HQF_5vornOH4w>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS Provfiles (Was: Call for consensus to remove anonymous DH)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Sep 2015 11:19:02 -0000

Stephen Farrell <stephen.farrell@cs.tcd.ie> writes:

>We have BCP195 [1] that aims for the "general" case (for up to TLS1.2) and a
>draft [2] (current in IESG evaluation) for the embedded case. Are those the
>kind of thing you're after?

Sort of, but since they're not part of the TLS spec they essentially don't
exist (I've never seen then quoted, cited, or referenced in any third-party
standard that deals with TLS).

Another problem is that they're defined as a large collection of (often rather
waffly) "don't do this" comments, so as a somewhat wooly blacklist rather than
a clear whitelist.  So the BCPs aren't really a profile but more like 20-30
pages of hand-wringing.

An actual profile of TLS would be something like MUST TLS 1.1 or above, MUST
PFS suites, MUST AES and SHA256, MUST E-then-M (and by implication what isn't
explicitly permitted is denied).

Peter.

v2.23.0 | Report a Bug | By Email