Return-Path: X-Original-To: tls@ietfa.amsl.com Delivered-To: tls@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7163B1A0061 for ; Thu, 17 Sep 2015 09:28:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.228 X-Spam-Level: X-Spam-Status: No, score=-2.228 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_PROFILE2=1.981, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iWomODYJ9lPz for ; Thu, 17 Sep 2015 09:28:10 -0700 (PDT) Received: from mx1.ll.mit.edu (MX1.LL.MIT.EDU [129.55.12.45]) by ietfa.amsl.com (Postfix) with ESMTP id 65FED1A0060 for ; Thu, 17 Sep 2015 09:28:10 -0700 (PDT) Received: from LLE2K10-HUB02.mitll.ad.local (LLE2K10-HUB02.mitll.ad.local) by mx1.ll.mit.edu (unknown) with ESMTP id t8HGRxC1021984; Thu, 17 Sep 2015 12:28:04 -0400 From: "Blumenthal, Uri - 0553 - MITLL" To: Peter Gutmann , "noloader@gmail.com" , Tony Arcieri Thread-Topic: [TLS] TLS Provfiles (Was: Call for consensus to remove anonymous DH) Thread-Index: AQHQ8FGBClCOviJEokiryTrnArnJzZ4/E1WAgAHXnYA= Date: Thu, 17 Sep 2015 16:28:01 +0000 Message-ID: References: <9A043F3CF02CD34C8E74AC1594475C73F4B070E6@uxcn10-tdc05.UoA.auckland.ac.nz> In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73F4B070E6@uxcn10-tdc05.UoA.auckland.ac.nz> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.5.4.150722 x-originating-ip: [172.25.177.187] Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha256; boundary="B_3525337669_175512" MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.14.151, 1.0.33, 0.0.0000 definitions=2015-09-17_06:2015-09-17,2015-09-17,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1508030000 definitions=main-1509170222 Archived-At: Cc: "tls@ietf.org" Subject: Re: [TLS] TLS Provfiles (Was: Call for consensus to remove anonymous DH) X-BeenThere: tls@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Sep 2015 16:28:12 -0000 --B_3525337669_175512 Content-type: text/plain; charset="UTF-8" Content-transfer-encoding: 7bit On 9/16/15, 4:19 , "TLS on behalf of Peter Gutmann" wrote: >Jeffrey Walton writes: >>Somewhat off-topic, why does TLS not produce a few profiles. One can be >>"Opportunistic TLS Profile" with a compatible security posture and >>include >>ADH. Another can be a "Standard TLS Profile" and include things like >>export >>grade crypto, weak and wounder ciphers SSLv3, etc. Finally, there can be >>a >>"TLS Defensive profile" where you get mostly the strong the protocols and >>ciphers, HTTPS Pinning Overrides are not allowed so the adversary cannot >>break the secure channel by tricking a user, etc. > >+1. At the moment you're stuck with everything-all-the-time (or >alternatively >one-size-misfits-all) where you have to support every single mechanism and >quirk and add-on, when all you want most of the time is to set up a basic >secure tunnel from A to B. Having profiles would be a great help, so all >the >other standards groups that build on TLS can refer to, say, the emebedded- >device profile or the PFS-with-PSK profile rather than having to hack >around >the standard themselves. +2. I think this is necessary, *and* falls (or should fall) under the TLS WG prerogative. --B_3525337669_175512 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIIQ0AYJKoZIhvcNAQcCoIIQwTCCEL0CAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0B BwGggg6fMIIE6jCCA9KgAwIBAgIKE5SxSwAAAABE8TANBgkqhkiG9w0BAQsFADBRMQswCQYD VQQGEwJVUzEfMB0GA1UEChMWTUlUIExpbmNvbG4gTGFib3JhdG9yeTEMMAoGA1UECxMDUEtJ MRMwEQYDVQQDEwpNSVRMTCBDQS0zMB4XDTE1MDYxNTE2MjQzOVoXDTE2MDYxNDE2MjQzOVow YTELMAkGA1UEBhMCVVMxHzAdBgNVBAoTFk1JVCBMaW5jb2xuIExhYm9yYXRvcnkxDzANBgNV BAsTBlBlb3BsZTEgMB4GA1UEAxMXQmx1bWVudGhhbC5VcmkuNTAwMTA1ODQwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0tVFZOYvbDipiXfjylg0yIORem8AMZ4UQJ7EM2BI8 jKLj/h3RwH4w2DOMdepALLUqscSrpX6HPbo80M1O0cSSIYcYl8wQzDAMmvoD3HWbupwSXEPf eRtBo26jAvsDkOp46TPu40Pu61AkHx4vIgqU7XkofKhow18Ka/9ZkJ+oSnLK6Xy9+n8JiViO kTm2NjyF+CcpAobwZ3lBepHihvK3EilYR6V1EHQb+Y+2aWtexkFzBNXaN7i4Sdzq+LNSzCON DDDnRxA2c/B/p7MBDzocaigPxmKOHcE5eamxCgpJEUVCEALzeVZxcYURDJw68tZ90pJSLuw7 r6iigykQbRINAgMBAAGjggGyMIIBrjAdBgNVHQ4EFgQUQzxm8xAhtcoaGyRStaMMhrmd7/Mw DgYDVR0PAQH/BAQDAgbAMB8GA1UdIwQYMBaAFNdgZg57SY11TA39z0beyMcSh8q/MDMGA1Ud HwQsMCowKKAmoCSGImh0dHA6Ly9jcmwubGwubWl0LmVkdS9nZXRjcmwvTExDQTMwZgYIKwYB BQUHAQEEWjBYMC0GCCsGAQUFBzAChiFodHRwOi8vY3JsLmxsLm1pdC5lZHUvZ2V0dG8vTExD QTMwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLmxsLm1pdC5lZHUvb2NzcDA9BgkrBgEEAYI3 FQcEMDAuBiYrBgEEAYI3FQiDg+Udh+ynZoathxWD6vBFhbahHx2Fy94yh/+KcwIBZAIBBTAi BgNVHSUBAf8EGDAWBggrBgEFBQcDBAYKKwYBBAGCNwoDDDAYBgNVHSAEETAPMA0GCyqGSIb3 EgIBAwEIMBkGA1UdEQQSMBCBDnVyaUBsbC5taXQuZWR1MCcGCSsGAQQBgjcUAgQaHhgATABM AFUAcwBlAHIAUwBpAGcALQBTAFcwDQYJKoZIhvcNAQELBQADggEBAI8vbC+RZJEH0jhe5e9w F18xYCquDo5kxkoD83qYcVPVFYPnjuAvZ6o9ENa3F0GiAjFVm6HcUbm0zeWT6ZDYIrbh7GRM 4IO8pD9ziwvLIx8rvLvUhiBpsZvznVOWX1yGC0UkIKyiseAszczAYFVJonKB8jDRnxgFlPlo mFUaDtjL86cyp+pHc+ffUVyqMxacABFutJJ72HcK7tIf2gnh2qLdKToiTkDIWT+b1RrkQPSr Gr0YapAC5PgHd/RRY75FHdW/OEQOFimouKnBc5F2VsDJg0Ae9i0+nJPWwSpoXe0ISqIUMO47 Ei6ySfHR2mjymbByxmT5W3gAT3M2gyOd/XUwggS8MIIDpKADAgECAgEpMA0GCSqGSIb3DQEB BQUAMFQxCzAJBgNVBAYTAlVTMR8wHQYDVQQKExZNSVQgTGluY29sbiBMYWJvcmF0b3J5MQww CgYDVQQLEwNQS0kxFjAUBgNVBAMTDU1JVExMIFJvb3QgQ0EwHhcNMTMxMjE3MDAwMDAwWhcN MjAxMjMxMjM1OTU5WjBRMQswCQYDVQQGEwJVUzEfMB0GA1UEChMWTUlUIExpbmNvbG4gTGFi b3JhdG9yeTEMMAoGA1UECxMDUEtJMRMwEQYDVQQDEwpNSVRMTCBDQS0zMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2jBSdW18tuW1tNxG6h8B0kqckFZQAAtoHCkvUpUEX6jF vBd8mQI53GyLYRuAo4HWJpe7/izFXOfSJDs6UM5ovvCOfXg2bJgDYlBC9JDcLBFIn0nppOu9 RvpjWSixtC56crwJ5Us5QPdtxtKdek5LJXl2oKw3w8lihUixePbxWad1m7ZMKKagvm9zTybP 6FumKRxeYJjSpB2+cAYjoGGEbSVHyx8uzHm6xAoBMHxa8by+yDz8Jzk6sP9iilgP3iXSGoCA mhyBzvlQQ5QNNWP+Emo9jz/ukKhYVB/VwdxtoquPAqn4ifDAIaM9dtb05cy1gXAFSP3Z/iUk xyBZZUORfwIDAQABo4IBmjCCAZYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU12Bm DntJjXVMDf3PRt7IxxKHyr8wHwYDVR0jBBgwFoAUZ6p6z/QKprlytYqg0p3yEMND7SkwDgYD VR0PAQH/BAQDAgGGMGYGCCsGAQUFBwEBBFowWDAtBggrBgEFBQcwAoYhaHR0cDovL2NybC5s bC5taXQuZWR1L2dldHRvP0xMUkNBMCcGCCsGAQUFBzABhhtodHRwOi8vb2NzcC5sbC5taXQu ZWR1L29jc3AwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5sbC5taXQuZWR1L2dldGNy bD9MTFJDQTCBkgYDVR0gBIGKMIGHMA0GCyqGSIb3EgIBAwEGMA0GCyqGSIb3EgIBAwEIMA0G CyqGSIb3EgIBAwEHMA0GCyqGSIb3EgIBAwEJMA0GCyqGSIb3EgIBAwEKMA0GCyqGSIb3EgIB AwELMA0GCyqGSIb3EgIBAwEOMA0GCyqGSIb3EgIBAwEPMA0GCyqGSIb3EgIBAwEQMA0GCSqG SIb3DQEBBQUAA4IBAQAsf9HBn72qU7UTgkxarjAc7iynhcDEgWwezYKtd/SLGSQ0DhtzIV/L TCxqULjOd+H+HTqMJXB8+nHnzhyqQ43RsnGZOFT5RfzPh94db/ZJ3ql244DwlJI7yXBA2DkZ cEEgOWC9bHcrElzU6NnigahSW5odVJrhmH/XhQAcMS77E5H62yyxK1WPPgcBipGVnu1xSHbT iHe7DqfWQ2tVMLUf23XYhIua94kJsQd4jSh71NVD0e7F4snAoqQMI98MzDYeLOkjlzKRs77r /aMsPAKx6nMaOvRL7Cy0Pjp51i2qFkbGmX8ofnh2kerjTTvRJ/g22r1MV8RR1PktjMsNOsPf MIIE7TCCA9WgAwIBAgIKKHB6MgAAAAAtBzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJV UzEfMB0GA1UEChMWTUlUIExpbmNvbG4gTGFib3JhdG9yeTEMMAoGA1UECxMDUEtJMRMwEQYD VQQDEwpNSVRMTCBDQS0zMB4XDTE1MDEyMzE3NDkyOVoXDTE2MDEyMzE3NDkyOVowYTELMAkG A1UEBhMCVVMxHzAdBgNVBAoTFk1JVCBMaW5jb2xuIExhYm9yYXRvcnkxDzANBgNVBAsTBlBl b3BsZTEgMB4GA1UEAxMXQmx1bWVudGhhbC5VcmkuNTAwMTA1ODQwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQDF+Rcs9hNO5hvlE0YeltqeXGUW1u3RVMG4/2ag6J2FgcsOJxOZ y/m+7FeYfCo3XYrNqx6/3IZmDSYln3JnxzPionDcbK2TJ9xAOoWlrUykAhgUl+PCO8ahDV5Y c0tmMzf5MXBrsub0nUyJeDkxOUY2Id58D1UVzzXh9Kvjc+ZCcBRFoViAgn7MznnuvK8Y5m7L or1oLWSxNNUyp98gC4EpdHLnA8yP1WqmNr0x+YssjJgEiIfZFqx8Gvv2OqtHaFGHh7Y6+WOW IZULMaAc9JJEq8ctns9mGIRldf2JMFcNsahQJDhgUspmP6c1Wz9OrUxsgwnGQ5feIq9c/4YZ YEZ/AgMBAAGjggG1MIIBsTAdBgNVHQ4EFgQUR0hebk4i6063YnpEEVXyQUyfSFMwDgYDVR0P AQH/BAQDAgUgMB8GA1UdIwQYMBaAFNdgZg57SY11TA39z0beyMcSh8q/MDMGA1UdHwQsMCow KKAmoCSGImh0dHA6Ly9jcmwubGwubWl0LmVkdS9nZXRjcmwvTExDQTMwZgYIKwYBBQUHAQEE WjBYMC0GCCsGAQUFBzAChiFodHRwOi8vY3JsLmxsLm1pdC5lZHUvZ2V0dG8vTExDQTMwJwYI KwYBBQUHMAGGG2h0dHA6Ly9vY3NwLmxsLm1pdC5lZHUvb2NzcDA9BgkrBgEEAYI3FQcEMDAu BiYrBgEEAYI3FQiDg+Udh+ynZoathxWD6vBFhbahHx2F69Bwg+vtIAIBZAIBBDAlBgNVHSUE HjAcBgRVHSUABggrBgEFBQcDBAYKKwYBBAGCNwoDBDAYBgNVHSAEETAPMA0GCyqGSIb3EgIB AwEIMBkGA1UdEQQSMBCBDnVyaUBsbC5taXQuZWR1MCcGCSsGAQQBgjcUAgQaHhgATABMAFUA cwBlAHIARQBuAGMALQBTAFcwDQYJKoZIhvcNAQELBQADggEBADim5zjTb/h3ea/66DNM6wSm i1Ti9F2f2/Are2a7a9E/IPXfleh39lVG7uTaneEJMSHzDltkB5k6DYMv/t28ntQm2jLI9adM wccDlKSR2uIDsiA7jodiTxbqL/aRi+WC4ybWWhXuzSbkMesayt5QAKpuKLAr7newfZaWx8zP nWU1nWZBbJR7cLKgUTaEiQu/NlCWIFJIC9yRhze+KR41vIa+7niQnUANjoYCCu32Z8xgxhK4 kQr5teUVUNDoCj02x781GFfwCknxpsWEm95OWM1iaXKCGJ8ciioulEzksZUrIHdImISaQVV+ Xdmbcd3OH6y8fNl1mZdXn8sxNJc+/g0xggH1MIIB8QIBATBfMFExCzAJBgNVBAYTAlVTMR8w HQYDVQQKExZNSVQgTGluY29sbiBMYWJvcmF0b3J5MQwwCgYDVQQLEwNQS0kxEzARBgNVBAMT Ck1JVExMIENBLTMCChOUsUsAAAAARPEwDQYJYIZIAWUDBAIBBQCgaTAvBgkqhkiG9w0BCQQx IgQgaL4KFC7poMRmHwYINtFb+4QFgNgzkcRQH66hRmzXjrEwGAYJKoZIhvcNAQkDMQsGCSqG SIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTUwOTE3MTYyNzQ5WjANBgkqhkiG9w0BAQEFAASC AQClY5Si0hXE1pNU3//KXzXM+0pCC/EZuLaeN0XsMXXmpJcRsk7ucu4w2tBSVKTrjYyjc0gt PYcGGq6K1bpE/g0FvX0Htj1H6ZauB/N7XXpFL+0WGoFR6AZAB1WTIEPFjAXG+eocdMHuFq1L /CPOnwikHZPpH+gPBvhabO8T5XhaOpyBtNVuGPYlF8+ggxT8hZv8soP1IWD8XOh2Me/K5kyJ X80J31Ck1h1U39fHt1CGfq1zK+/YzfcWSQzWl/iPAmkl53PCARuR7YIkrb3mHUQ8pKjqt9J1 CHFE/yfHRfXbVOsV5Kz9DaYKJP3V4FtXi9DU3HCnibvKq1eqtc41cKA5 --B_3525337669_175512--