IETF Logo Mail Archive

Re: [TLS] TLS Provfiles (Was: Call for consensus to remove anonymous DH)

Dave Garrett <davemgarrett@gmail.com> Wed, 16 September 2015 22:37 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 978201A8ABD for <tls@ietfa.amsl.com>; Wed, 16 Sep 2015 15:37:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.019
X-Spam-Level:
X-Spam-Status: No, score=-0.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FRT_PROFILE2=1.981, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PIXzg94qivMM for <tls@ietfa.amsl.com>; Wed, 16 Sep 2015 15:37:23 -0700 (PDT)
Received: from mail-qg0-x231.google.com (mail-qg0-x231.google.com [IPv6:2607:f8b0:400d:c04::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AC281A8ABE for <tls@ietf.org>; Wed, 16 Sep 2015 15:37:23 -0700 (PDT)
Received: by qgev79 with SMTP id v79so222506qge.0 for <tls@ietf.org>; Wed, 16 Sep 2015 15:37:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=+o8DrNn4dfdP86V0eKpVB2BzXGNiLAJ44p2oelUgtVM=; b=ePO7ynd/mpeSeyQ78wBsyHNyDBdzapcOpVv7ijmXy/QBBIyYBEA7oY8gRKHagjPY6f gIWz5jCL+4VsGKkvtZ/Mmy+L9RFQWMqoSfMuuy6j+nnvzSygj7m1jorO0tdW4YqXOMTK YgNl6DSAQPeMfjqy3a2AOdy0jxYlPK95pfnMRf20rzeLTOesxkh7dShWGYEEw+I3OJCh /6isjQ9GWNqi0umxLslBkY815gTSKNG2EjEXgjG+ZjZCkYY6dQvsOtLHSMu/ybQQlwYy 4YUtryhL2tvRjimPMcp20OaEBZk5C+qTUdqUZrc8/JJ5mz46xv3tNOb//ebpSFLStLly 6yjw==
X-Received: by 10.140.234.78 with SMTP id f75mr48971534qhc.20.1442443042918; Wed, 16 Sep 2015 15:37:22 -0700 (PDT)
Received: from dave-laptop.localnet (pool-72-94-152-197.phlapa.fios.verizon.net. [72.94.152.197]) by smtp.gmail.com with ESMTPSA id s12sm23656qkl.2.2015.09.16.15.37.22 (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 16 Sep 2015 15:37:22 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: tls@ietf.org
Date: Wed, 16 Sep 2015 18:37:21 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <CAH8yC8=eHzQPL6cROVK4Pm0V2FSYTL7C7csLG7p49W5LEmfo=Q@mail.gmail.com> <201509161503.54756.davemgarrett@gmail.com> <20150916213827.GC21942@mournblade.imrryr.org>
In-Reply-To: <20150916213827.GC21942@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201509161837.21743.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/yjoaXEQ5NNbEgxhQ1QAzyOW-_nU>
Subject: Re: [TLS] TLS Provfiles (Was: Call for consensus to remove anonymous DH)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Sep 2015 22:37:24 -0000

On Wednesday, September 16, 2015 05:38:27 pm Viktor Dukhovni wrote:
> On Wed, Sep 16, 2015 at 03:03:54PM -0400, Dave Garrett wrote:
> > The suggestion that started this thread was to have a "Standard TLS Profile"
> > that actually allowed EXPORT ciphers & SSL3. So yeah, this proposal feels
> > like a suggestion to keep allowance of obsolete junk as the norm with
> > "defensive" as a separate option, because that's what it specifically
> > says.
> 
> Object to such a profile, and rather than the idea of profiles.
> There is no need for the TLS WG to define any profiles that include
> SSL3 or EXPORT ciphers.

That's a fair point, but I don't see the need for a profile once that stuff is not allowed anywhere. I could accept the notion of a TLS strict mode, where it's TLS 1.2 + PFS + AEAD + no SHA1/DSA/SSL2HELLO/etc. only, but that's not really a "profile" so much as one paragraph that could be added. Application profiles are already a thing, so I don't see why we also need a new mechanism here.

Let me put it this way, I see no way for the WG to reasonably agree on this without a proposed _set_ of profiles to go with it that we all could also live with. Just the vague notion of more profiles in abstract isn't sounding great on its own.


Dave

v2.23.0 | Report a Bug | By Email