Re: [TLS] NULL cipher to become a MUST NOT in UTA BCP

Ralph Holz <holz@net.in.tum.de> Wed, 03 September 2014 20:16 UTC

Return-Path: <holz@net.in.tum.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 519FA1A6EFC for <tls@ietfa.amsl.com>; Wed, 3 Sep 2014 13:16:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.55
X-Spam-Level:
X-Spam-Status: No, score=-1.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r_yhMBsa4gKm for <tls@ietfa.amsl.com>; Wed, 3 Sep 2014 13:16:28 -0700 (PDT)
Received: from smtp.serverkommune.de (serverkommune.de [176.9.61.43]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F05B1A6FB3 for <tls@ietf.org>; Wed, 3 Sep 2014 13:15:59 -0700 (PDT)
Received: by smtp.serverkommune.de (Postfix, from userid 5001) id 82D028063F; Wed, 3 Sep 2014 22:15:57 +0200 (CEST)
Received: from [192.168.178.34] (ex6.serverkommune.de [176.9.61.43]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.serverkommune.de (Postfix) with ESMTPSA id D5B77801A6; Wed, 3 Sep 2014 22:15:56 +0200 (CEST)
Message-ID: <540776FC.7030409@net.in.tum.de>
Date: Wed, 03 Sep 2014 22:15:56 +0200
From: Ralph Holz <holz@net.in.tum.de>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0
MIME-Version: 1.0
To: Nico Williams <nico@cryptonector.com>
References: <54048985.1020005@net.in.tum.de> <CAMeZVwtQ09B6Ero2C=75m5JdAYnEAENNcESd_gg_Ro2UhA9dyA@mail.gmail.com> <3EB754B7-F6B2-4207-A2F0-E61F32EE1E40@ll.mit.edu> <54075016.6040406@net.in.tum.de> <20140903174958.GF14392@mournblade.imrryr.org> <5407574B.5060708@net.in.tum.de> <9120B6EE-F023-4724-9116-A169993F58E8@ll.mit.edu> <14f6960e-e625-4252-ad7d-2bf8295f71fc@email.android.com> <9D33A9AF-5613-49DD-B024-DD5CDA49CFC9@ll.mit.edu> <540770DF.105@net.in.tum.de> <CAK3OfOgY8vX-_CwDqKcEYq5v+OHG-FfD7tcYv4dXC6JrZJq+yQ@mail.gmail.com>
In-Reply-To: <CAK3OfOgY8vX-_CwDqKcEYq5v+OHG-FfD7tcYv4dXC6JrZJq+yQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.98.1 at ex6
X-Virus-Status: Clean
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/RaIPMHwaxgIpjeVGe8S0SF-O8vA
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] NULL cipher to become a MUST NOT in UTA BCP
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Sep 2014 20:16:30 -0000

Hi Nico,

> Ralph,
> 
> Uri is quite right.  You really should read RFC2119.  Here's the money quote:
> 
> 2. MUST NOT   This phrase, or the phrase "SHALL NOT", mean that the
>    definition is an absolute prohibition of the specification.
> 
> There is absolutely no hedging there.  There is no more evidence to
> post, really.  What more could you need?  "absolute prohibition" is as
> clear as it gets.

Yes, I understand that, and apologies if that came out wrong. But the
meaning of MUST NOT is not what I asked for - rather, the difference
between "deployment" and "implementation". The reworded version in the
BCP would say that "deployments" MUST NOT negotiate the cipher. E.g.,
the cipher string in your Apache must not contain NULL.

The note following it then clarifies that the actual code (e.g. in the
openssl library) is free to contain the cipher.

If there is agreement that deployment = implementation, we'll need other
words to express this.

Hope that clears it up.

Ralph

-- 
Ralph Holz
I8 - Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
Phone +49.89.289.18043
PGP: A805 D19C E23E 6BBB E0C4  86DC 520E 0C83 69B0 03EF