Re: [TLS] Fwd: I-D Action: draft-sandj-tls-iana-registry-updates-01.txt

Martin Thomson <> Thu, 20 October 2016 23:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 87B7A129469 for <>; Thu, 20 Oct 2016 16:04:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id xsJ85ntDFF5P for <>; Thu, 20 Oct 2016 16:04:14 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c0d::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 24A211294E7 for <>; Thu, 20 Oct 2016 16:04:14 -0700 (PDT)
Received: by with SMTP id f6so73509375qtd.2 for <>; Thu, 20 Oct 2016 16:04:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=YjcvJNDiYbwbsu0dVutkCdVggXWsiaorVJGPiuQPk98=; b=zjr5YZlxex/JX7CE6GMz/MLHug0yvBZfA9ZWHmgrOd1HIAaxiERGIdpDA5E9w/JLVJ 9SddpoOMUAoVjGc1Buc6yTtWfETnJ0TVbPCXkOEOuwv84WH7bqKSbhEPu7sznk0q1Zoi zh5ndUfdl92iNc3BhR9MK1jpuun41twrp7i/lKpQxZTU/92p/ftDWsksxTmrqERpi7re s7Ty50jGUiCaTjtCxU0HG7wWpBWLGtIHUJJVUqKNiGv7W0hBNy6nSHeG5j/SiXZRvxAK 0kFjDXZa/aU48DU3E65wYT36vklhWrvGadj5R+W45aP1ZMORDSavznDZnRnNYOgzP6vW IfZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=YjcvJNDiYbwbsu0dVutkCdVggXWsiaorVJGPiuQPk98=; b=MlTIDgmApnNkrz7OiD2DYXC4LVsuHuLoR1F9gipPwlwaqFHxwblM/6iUcpTQkbi45K BuAF8KQZQX20nA0BUEAeNdPTdifwxLWadhepnwnvHiFvhzIgipBLMSXch3kGKi21YooJ 9W08ZNhZxT0WqqfzPjLa6amnetAx8+7Wjrpac3n7AYReuh9LXJlVmGJRLTXV9jQmfsST 5sNC2BLpTA1Wr3NgfRXlwp6TGBi1BXDJPM4lIcCLBl2AfwNrQRb9bdGS2jr5DRpEZCsn LsRJBVIq3VLaRJ6EkTEb7MMjl86m7ffxxruBqFjqb8Cxp+5xHb8j0A5xVIDMcPreGDy7 mb0Q==
X-Gm-Message-State: ABUngvfvPjiQyErjRQgequ5wycJk99AX7kvlILEoBWXbsHu4HRcYZXeyqmG1QpF3wy82AjZOhWtDtv3GWt8rxQ==
X-Received: by with SMTP id p2mr3023478qtp.107.1477004653203; Thu, 20 Oct 2016 16:04:13 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Thu, 20 Oct 2016 16:04:12 -0700 (PDT)
In-Reply-To: <>
References: <> <>
From: Martin Thomson <>
Date: Fri, 21 Oct 2016 10:04:12 +1100
Message-ID: <>
To: Sean Turner <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Cc: "<>" <>
Subject: Re: [TLS] Fwd: I-D Action: draft-sandj-tls-iana-registry-updates-01.txt
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 20 Oct 2016 23:04:15 -0000

On 21 October 2016 at 05:15, Sean Turner <>; wrote:
> 1) I’d like to add something along the line of the following as a warning at the top of the cider suite registry for those that simply go to the cipher list and don’t read the RFCs:
>     WARNING: Cryptographic algorithms will be broken
>     or weakened over time.  Blindly implementing cipher
>     suites listed here is not advised.  Implementers and
>     users need to check that the cryptographic algorithms
>     listed continue to provide the expected level of security.

SGTM.  Doesn't say how to check, but I'm not sure that there is any
simple advice you could give there.

> 2) draft-ietf-tls-tls13 will indicate cipher suites that are recommended for TLS1.3; remember the negotiation mechanism is different now so we’re using the same registry but the values are in the new range.  It seems like we still need to populate the recommended column for pre-1.3 from -14 A.4?

I think that TLS 1.3 should just register the small set of cipher
suites that it does and this doc can take on the other things.  What
was in -14 seems about right.