IETF Logo Mail Archive

Re: [TLS] TLS Provfiles (Was: Call for consensus to remove anonymous DH)

Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 16 September 2015 08:19 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF4BD1B38B4 for <tls@ietfa.amsl.com>; Wed, 16 Sep 2015 01:19:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.071
X-Spam-Level:
X-Spam-Status: No, score=0.071 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FRT_PROFILE2=1.981, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uinfkEFIitS0 for <tls@ietfa.amsl.com>; Wed, 16 Sep 2015 01:19:54 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E9021B38AB for <tls@ietf.org>; Wed, 16 Sep 2015 01:19:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1442391593; x=1473927593; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=5QKgP4XQkp2H1E9uAqEl+j7Vgai7W1rDwvKm2PnacLI=; b=VHrFJwGgQMmmG9+6b05o8LO91TGLiEU0VGQIdkijen+y4DN0C1ntFB8j l8Xi8o/WSXbowQufb2kEaljXeRSyF8T6awT6AWuuZDT00H5nwxr4jURAl szpzun7f3FNRuE8biQKVrJSUckXHKY5byAZTdtmy62hyy3NVPfD6J5E2Y IG9L7Y6o0NNbCDIZjI5BMkfXMThAvcIJ1dwTtktI/dJqjBKxPl9ditawQ 9vgNPQWhi9sXk+tWtHXvQM0vrpiP3zNSxA6yzkVfyGdRNa705lz+Y93AM /IwQVSfwaAB7LWtaJ4C5PX+LzY1GtOcST2SZ8NkP0ZFo20/JygHNhROFL Q==;
X-IronPort-AV: E=Sophos;i="5.17,537,1437393600"; d="scan'208";a="41920582"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.171 - Outgoing - Outgoing
Received: from exchangemx.uoa.auckland.ac.nz (HELO uxchange10-fe4.UoA.auckland.ac.nz) ([130.216.4.171]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 16 Sep 2015 20:19:51 +1200
Received: from UXCN10-TDC05.UoA.auckland.ac.nz ([169.254.9.47]) by uxchange10-fe4.UoA.auckland.ac.nz ([169.254.109.63]) with mapi id 14.03.0174.001; Wed, 16 Sep 2015 20:19:51 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "noloader@gmail.com" <noloader@gmail.com>, Tony Arcieri <bascule@gmail.com>
Thread-Topic: [TLS] TLS Provfiles (Was: Call for consensus to remove anonymous DH)
Thread-Index: AQHQ8FFq13KcVZ89fEGkcyYs2GLTPZ4+0CRR
Date: Wed, 16 Sep 2015 08:19:51 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73F4B070E6@uxcn10-tdc05.UoA.auckland.ac.nz>
References: <CAH8yC8=eHzQPL6cROVK4Pm0V2FSYTL7C7csLG7p49W5LEmfo=Q@mail.gmail.com>
In-Reply-To: <CAH8yC8=eHzQPL6cROVK4Pm0V2FSYTL7C7csLG7p49W5LEmfo=Q@mail.gmail.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/cTUPn6th5s5eMRSgFrst5z0LZ5M>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS Provfiles (Was: Call for consensus to remove anonymous DH)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Sep 2015 08:19:58 -0000

Jeffrey Walton <noloader@gmail.com> writes:

>Somewhat off-topic, why does TLS not produce a few profiles. One can be
>"Opportunistic TLS Profile" with a compatible security posture and include
>ADH. Another can be a "Standard TLS Profile" and include things like export
>grade crypto, weak and wounder ciphers SSLv3, etc. Finally, there can be a
>"TLS Defensive profile" where you get mostly the strong the protocols and
>ciphers, HTTPS Pinning Overrides are not allowed so the adversary cannot
>break the secure channel by tricking a user, etc.

+1.  At the moment you're stuck with everything-all-the-time (or alternatively
one-size-misfits-all) where you have to support every single mechanism and
quirk and add-on, when all you want most of the time is to set up a basic
secure tunnel from A to B.  Having profiles would be a great help, so all the
other standards groups that build on TLS can refer to, say, the emebedded-
device profile or the PFS-with-PSK profile rather than having to hack around
the standard themselves.

Peter.

v2.23.0 | Report a Bug | By Email