TLS/SSL robustness - high, medium, low from Doyle, Bill on 2008-01-08 (public-wsc-wg@w3.org from January 2008)

From: Doyle, Bill <wdoyle@mitre.org>
Date: Tue, 8 Jan 2008 12:51:47 -0500
To: <public-wsc-wg@w3.org>
Message-ID: <518C60F36D5DBC489E91563736BA4B5801D36BD6@IMCSRV5.MITRE.ORG>

A thought is to add another robustness section to define TLS/SSL
robustness
 
Robustness of information assurance provided by TLS/SSL is dependant on
the version of the protocol and strength of ciphers used. User agents
and web servers should have the ability to restrict the use of TLS/SSL
to require latest version of the TLS/SSL protocol and configuration
settings should provide the capability to choose with fine grained
precision the cipher suites allowed. Cipher suites are arranged to note
export/weak (?? or key settings / 40-56 bit ciphers), medium (?? ./ 128
bit ciphers) and strong (?? / 256 bit ciphers). 
 
High Robustness
Requires the use of latest version of the TLS/SSL protocol and
connections must use cipher suites that fit into the strong category. 
 
Medium Robustness
Use of TLS/SSL protocol that is 1 version behind the latest TLS/SSL
definition and uses ciphers in medium or strong category
 
Low Robustness
Use of a TLS/SSL protocol and cipher settings that do not fit into
medium or high robustness categories. 
 
or something like this
 
Bill D.

Received on Tuesday, 8 January 2008 17:51:57 UTC