Re: [TLS] security levels for TLS
Mike <mike-list@pobox.com> Fri, 12 October 2007 23:14 UTC
Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IgTi6-0004QP-DZ; Fri, 12 Oct 2007 19:14:26 -0400
Received: from tls by megatron.ietf.org with local (Exim 4.43) id 1IgTi5-0004OZ-Lc for tls-confirm+ok@megatron.ietf.org; Fri, 12 Oct 2007 19:14:25 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IgTi5-0003sE-C4 for tls@lists.ietf.org; Fri, 12 Oct 2007 19:14:25 -0400
Received: from sceptre.pobox.com ([207.106.133.20]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IgThp-0000El-CD for tls@lists.ietf.org; Fri, 12 Oct 2007 19:14:15 -0400
Received: from sceptre (localhost.localdomain [127.0.0.1]) by sceptre.pobox.com (Postfix) with ESMTP id BBDBA2EF for <tls@lists.ietf.org>; Fri, 12 Oct 2007 19:13:57 -0400 (EDT)
Received: from [192.168.1.8] (wsip-24-234-114-35.lv.lv.cox.net [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by sceptre.sasl.smtp.pobox.com (Postfix) with ESMTP id F24DB8996E for <tls@lists.ietf.org>; Fri, 12 Oct 2007 19:13:56 -0400 (EDT)
Message-ID: <4710000A.7020006@pobox.com>
Date: Fri, 12 Oct 2007 16:15:22 -0700
From: Mike <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: tls@lists.ietf.org
Subject: Re: [TLS] security levels for TLS
References: <c331d99a0710080621g7c0ec91et35c46553c23f4402@mail.gmail.com> <470FC52E.6080707@pobox.com> <p06240828c3357a914a76@[192.168.1.3]> <200710122237.30517.nmav@gnutls.org> <20071012200032.70EEA33C23@delta.rtfm.com>
In-Reply-To: <20071012200032.70EEA33C23@delta.rtfm.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 69a74e02bbee44ab4f8eafdbcedd94a1
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
>>> Confusing and/or giving users false senses of security are definitely
>>> negative.
>> Actually I think the latter sentence describes the current situation!
>
> How so? Nothing at all stops you from putting any indicator you
> like in your code. Why does IETF have to standardize it?
I think there is some mis-communication going on. I have never
even mentioned the IETF standardizing an "indicator" of security
level. Someone else may have, but I reject that idea as well.
All I've proposed is that the client send a few extra bytes of
information specifying the sizes of keys/parameters that are
not defined by the cipher suites. Every client is free to
determine what it thinks is acceptable in this regard. There
would be no "standard profiles" or even "suggested profiles"
since over time they would become outdated.
Here is a simple code example of what I envision:
TlsSecurityProfile profile_Generic;
TlsSecurityProfile profile_Strong;
profile_Generic.SetRSAKeyLength (1024, 900); // desired, minimum
profile_Generic.SetDSAKeyLength (1024, 900);
profile_Generic.SetDHParameterSize (1024, 1000);
profile_Strong.SetRSAKeyLength (2048, 2000);
profile_Strong.SetDSAKeyLength (2048, 2000);
profile_Strong.SetDHParameterSize (1536, 1536);
ConnectTLS ("www.amazon.com:443", profile_Generic);
ConnectTLS ("www.mybank.com:443", profile_Strong);
Currently TLS cannot totally support this interface, but with the
extension I proposed, it could.
Mike
_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls
- [TLS] security levels for TLS Nikos Mavrogiannopoulos
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Nikos Mavrogiannopoulos
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Yngve Nysaeter Pettersen
- Re: [TLS] security levels for TLS Paul Hoffman
- RE: [TLS] security levels for TLS Kemp, David P.
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Steven M. Bellovin
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Paul Hoffman
- Re: [TLS] security levels for TLS Nikos Mavrogiannopoulos
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Paul Hoffman