Re: [TLS] TLS Provfiles (Was: Call for consensus to remove anonymous DH)
Nico Williams <nico@cryptonector.com> Wed, 16 September 2015 23:00 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7ADF1A8BC3 for <tls@ietfa.amsl.com>; Wed, 16 Sep 2015 16:00:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.385
X-Spam-Level:
X-Spam-Status: No, score=-0.385 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FRT_PROFILE2=1.981, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xGNSPhKf3yph for <tls@ietfa.amsl.com>; Wed, 16 Sep 2015 16:00:27 -0700 (PDT)
Received: from homiemail-a25.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id F164D1A8BB5 for <tls@ietf.org>; Wed, 16 Sep 2015 16:00:26 -0700 (PDT)
Received: from homiemail-a25.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a25.g.dreamhost.com (Postfix) with ESMTP id 7D606678071; Wed, 16 Sep 2015 16:00:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=5FlyDn/7o3XgjR rG9/mcqu6S+xI=; b=bmUNM0w0x7RGLGTKCnGkeIG0y9+Xx8M/YfanahlJUIeA22 iARZt4w+6dmGH+nI/AbJfrzGtw1zVz7oqXCe+EbvYOEyltFELq4N4KGDbBSpyEFd xDJkNnQ3sYjIZBtrVhKYQ0VL/H2iNK0psWm8nmoJb5iWTv7C+jRWT/2n3hW1U=
Received: from localhost (108-207-244-100.lightspeed.austtx.sbcglobal.net [108.207.244.100]) (Authenticated sender: nico@cryptonector.com) by homiemail-a25.g.dreamhost.com (Postfix) with ESMTPA id E4547678063; Wed, 16 Sep 2015 16:00:25 -0700 (PDT)
Date: Wed, 16 Sep 2015 18:00:25 -0500
From: Nico Williams <nico@cryptonector.com>
To: Dave Garrett <davemgarrett@gmail.com>
Message-ID: <20150916230024.GS13294@localhost>
References: <CAH8yC8=eHzQPL6cROVK4Pm0V2FSYTL7C7csLG7p49W5LEmfo=Q@mail.gmail.com> <201509161503.54756.davemgarrett@gmail.com> <20150916213827.GC21942@mournblade.imrryr.org> <201509161837.21743.davemgarrett@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <201509161837.21743.davemgarrett@gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/QwI0DrE0j6b3feprrGK3jMsatgA>
Cc: tls@ietf.org
Subject: Re: [TLS] TLS Provfiles (Was: Call for consensus to remove anonymous DH)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Sep 2015 23:00:28 -0000
On Wed, Sep 16, 2015 at 06:37:21PM -0400, Dave Garrett wrote: > On Wednesday, September 16, 2015 05:38:27 pm Viktor Dukhovni wrote: > > On Wed, Sep 16, 2015 at 03:03:54PM -0400, Dave Garrett wrote: > > > The suggestion that started this thread was to have a "Standard TLS Profile" > > > that actually allowed EXPORT ciphers & SSL3. So yeah, this proposal feels > > > like a suggestion to keep allowance of obsolete junk as the norm with > > > "defensive" as a separate option, because that's what it specifically > > > says. > > > > Object to such a profile, and rather than the idea of profiles. > > There is no need for the TLS WG to define any profiles that include > > SSL3 or EXPORT ciphers. > > That's a fair point, but I don't see the need for a profile once that > stuff is not allowed anywhere. I could accept the notion of a TLS <mentally splice in long and never-ending debate about opportunistic use of weaker ciphers, so that we don't have physically splice it in here> > strict mode, where it's TLS 1.2 + PFS + AEAD + no > SHA1/DSA/SSL2HELLO/etc. only, but that's not really a "profile" so > much as one paragraph that could be added. Application profiles are > already a thing, so I don't see why we also need a new mechanism here. It's a profile. Call it what you will. The rest of us call this a profile. All the more so when profiles are named in an IANA registry. Applications can then very trivially select an appropriate TLS profile using standard profile naming. > Let me put it this way, I see no way for the WG to reasonably agree on > this without a proposed _set_ of profiles to go with it that we all > could also live with. Just the vague notion of more profiles in > abstract isn't sounding great on its own. We've certainly had a few proposed profiles over time. Your estimation of what the WG would or would not agree to is not as interesting as, you know, actually attempting to get consensus. Nico --
- [TLS] TLS Provfiles (Was: Call for consensus to r… Jeffrey Walton
- Re: [TLS] TLS Provfiles (Was: Call for consensus … Peter Gutmann
- Re: [TLS] TLS Provfiles (Was: Call for consensus … Stephen Farrell
- Re: [TLS] TLS Provfiles (Was: Call for consensus … Jeffrey Walton
- Re: [TLS] TLS Provfiles (Was: Call for consensus … Salz, Rich
- Re: [TLS] TLS Provfiles (Was: Call for consensus … Peter Gutmann
- Re: [TLS] TLS Provfiles (Was: Call for consensus … Salz, Rich
- Re: [TLS] TLS Provfiles (Was: Call for consensus … Stephen Farrell
- Re: [TLS] TLS Provfiles (Was: Call for consensus … Peter Gutmann
- Re: [TLS] TLS Provfiles (Was: Call for consensus … Peter Gutmann
- Re: [TLS] TLS Provfiles (Was: Call for consensus … Martin Thomson
- Re: [TLS] TLS Provfiles (Was: Call for consensus … Dave Garrett
- Re: [TLS] TLS Provfiles (Was: Call for consensus … Viktor Dukhovni
- Re: [TLS] TLS Provfiles (Was: Call for consensus … Dave Garrett
- Re: [TLS] TLS Provfiles (Was: Call for consensus … Viktor Dukhovni
- Re: [TLS] TLS Provfiles (Was: Call for consensus … Dave Garrett
- Re: [TLS] TLS Provfiles (Was: Call for consensus … Nico Williams
- Re: [TLS] TLS Provfiles (Was: Call for consensus … Dave Garrett
- Re: [TLS] TLS Provfiles (Was: Call for consensus … Jeffrey Walton
- Re: [TLS] TLS Provfiles (Was: Call for consensus … Viktor Dukhovni
- Re: [TLS] TLS Provfiles (Was: Call for consensus … Dave Garrett
- Re: [TLS] TLS Provfiles (Was: Call for consensus … Salz, Rich
- Re: [TLS] TLS Provfiles (Was: Call for consensus … Jacob Appelbaum
- Re: [TLS] TLS Provfiles (Was: Call for consensus … Peter Gutmann
- Re: [TLS] TLS Provfiles (Was: Call for consensus … Hubert Kario
- Re: [TLS] TLS Provfiles (Was: Call for consensus … Blumenthal, Uri - 0553 - MITLL