Re: [TLS] NULL cipher to become a MUST NOT in UTA BCP

Bill Frantz <frantz@pwpconsult.com> Fri, 05 September 2014 04:06 UTC

Return-Path: <frantz@pwpconsult.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CF081A03F1 for <tls@ietfa.amsl.com>; Thu, 4 Sep 2014 21:06:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H-oyBloYtCmT for <tls@ietfa.amsl.com>; Thu, 4 Sep 2014 21:06:41 -0700 (PDT)
Received: from elasmtp-spurfowl.atl.sa.earthlink.net (elasmtp-spurfowl.atl.sa.earthlink.net [209.86.89.66]) by ietfa.amsl.com (Postfix) with ESMTP id E77341A03EA for <tls@ietf.org>; Thu, 4 Sep 2014 21:06:40 -0700 (PDT)
Received: from [173.75.83.99] (helo=Williams-MacBook-Pro.local) by elasmtp-spurfowl.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from <frantz@pwpconsult.com>) id 1XPknC-00047f-LV; Fri, 05 Sep 2014 00:06:34 -0400
Date: Thu, 04 Sep 2014 21:06:29 -0700
From: Bill Frantz <frantz@pwpconsult.com>
To: Nico Williams <nico@cryptonector.com>, tls@ietf.org
X-Priority: 3
In-Reply-To: <CAK3OfOhvTS=wnH5yGnuFk0w_RH+op+Hg5iEKW2DrxuAu-Hoeqw@mail.gmail.com>
Message-ID: <r422Ps-1075i-64A8CB473A3A4501BBB2C3138C71A13E@Williams-MacBook-Pro.local>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Mailsmith 2.3.1 (422)
X-ELNK-Trace: 3a5e54fa03f1b3e21aa676d7e74259b7b3291a7d08dfec7990ec918d5196f5733baf7fed44bbc0f5350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 173.75.83.99
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/kT5ye__ZrfdfcYCsyeFlvoKn8Cs
Subject: Re: [TLS] NULL cipher to become a MUST NOT in UTA BCP
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Sep 2014 04:06:45 -0000

On 9/3/14 at 1:24 PM, nico@cryptonector.com (Nico Williams) wrote:

>This needs to apply to implementors.  It's hard to tell sysadmins to
>not do certain things.  You need to tell implementors what to allow
>for local policy.

I really like Victor's suggestion that implementations MUST NOT 
present both encryption and NULL cypher suites on a connection. 
They could either refuse to start up when configured with both, 
or they could silently remove the NULL cypher suites.

Cheers - Bill

---------------------------------------------------------------------------
Bill Frantz        |"We used to quip that "password" is the most common
408-356-8506       | password. Now it's 'password1.' Who said 
users haven't
www.pwpconsult.com | learned anything about security?" -- Bruce Schneier