Re: [TLS] NULL cipher to become a MUST NOT in UTA BCP
Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 05 September 2014 13:49 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DEDF1A06C6 for <tls@ietfa.amsl.com>; Fri, 5 Sep 2014 06:49:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cZaAVzCjq94S for <tls@ietfa.amsl.com>; Fri, 5 Sep 2014 06:49:51 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC4E91A06BF for <tls@ietf.org>; Fri, 5 Sep 2014 06:49:50 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id E59132AB2CF; Fri, 5 Sep 2014 13:49:48 +0000 (UTC)
Date: Fri, 05 Sep 2014 13:49:48 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20140905134948.GK26920@mournblade.imrryr.org>
References: <r422Ps-1075i-64A8CB473A3A4501BBB2C3138C71A13E@Williams-MacBook-Pro.local> <5409B592.7070801@fifthhorseman.net> <CADMpkcKa-A-qGYLnZpFVtFcXVnbBkkBAu0V8zcfk+M03Mm1_AQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CADMpkcKa-A-qGYLnZpFVtFcXVnbBkkBAu0V8zcfk+M03Mm1_AQ@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/Umid-x2igTjCBadAIZMU7D7ysLQ
Subject: Re: [TLS] NULL cipher to become a MUST NOT in UTA BCP
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Sep 2014 13:49:52 -0000
On Fri, Sep 05, 2014 at 03:30:55PM +0200, Bodo Moeller wrote: > If NULL encryption cipher suites can't be enabled together with non-NULL > encryption cipher suites, you'd break any server that attempts to allow > NULL encryption for clients that decide they don't need encryption (e.g., > because they're connecting to localhost) while supporting non-NULL ciphers > for clients that don't offer NULL encryption for whatever reason (e.g., > because the implementor just doesn't like NULL encryption, which I think is > a position worthy of support). Same for clients. I'd rather prefer for > the BCP to avoid this quagmire entirely. This is why my suggestion was specifically about the initiator (client): What is much more reasonable is that initiators (clients) should refuse to negotiate (should suppress any configured) NULL cipher suites when any non NULL cipher suite is enabled. This prevents accidents, without breaking carefully considered NULL to NULL deployments. It leaves room for dual-purpose servers. -- Viktor.
- [TLS] NULL cipher to become a MUST NOT in UTA BCP Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Viktor Dukhovni
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Paul Hoffman
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Salz, Rich
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Viktor Dukhovni
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Viktor Dukhovni
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Viktor Dukhovni
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Paul Lambert
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Bodo Moeller
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Nico Williams
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Nikos Mavrogiannopoulos
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Yutaka OIWA
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Viktor Dukhovni
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Viktor Dukhovni
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Geoffrey Keating
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Nico Williams
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Nico Williams
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Nico Williams
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Yutaka OIWA
- [TLS] uta-tls-bcp-02 thoughts (was: NULL cipher t… Viktor Dukhovni
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Bodo Moeller
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Yutaka OIWA
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Nico Williams
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] uta-tls-bcp-02 thoughts (was: NULL ciph… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] uta-tls-bcp-02 thoughts (was: NULL ciph… Nico Williams
- Re: [TLS] uta-tls-bcp-02 thoughts (was: NULL ciph… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] uta-tls-bcp-02 thoughts Ralph Holz
- Re: [TLS] uta-tls-bcp-02 thoughts Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] uta-tls-bcp-02 thoughts Ralph Holz
- Re: [TLS] uta-tls-bcp-02 thoughts (was: NULL ciph… Barry Leiba
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Bill Frantz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Daniel Kahn Gillmor
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Bodo Moeller
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Manuel Pégourié-Gonnard
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Viktor Dukhovni
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Manuel Pégourié-Gonnard
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ilari Liusvaara
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Nico Williams
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Ralph Holz
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Bodo Moeller
- Re: [TLS] NULL cipher to become a MUST NOT in UTA… Viktor Dukhovni