W3C home > Mailing lists > Public > public-wsc-wg@w3.org > January 2008

RE: TLS/SSL robustness - high, medium, low

From: Dan Schutzer <dan.schutzer@fstc.org>
Date: Tue, 8 Jan 2008 14:10:59 -0500
To: "'Doyle, Bill'" <wdoyle@mitre.org>, <public-wsc-wg@w3.org>
Message-ID: <004f01c8522a$352dfed0$6700a8c0@dschutzer>
I think there might also be something we might want to say about whether it
is using just server certs or client and server certs



From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On
Behalf Of Doyle, Bill
Sent: Tuesday, January 08, 2008 12:52 PM
To: public-wsc-wg@w3.org
Subject: TLS/SSL robustness - high, medium, low


A thought is to add another robustness section to define TLS/SSL robustness


Robustness of information assurance provided by TLS/SSL is dependant on the
version of the protocol and strength of ciphers used. User agents and web
servers should have the ability to restrict the use of TLS/SSL to require
latest version of the TLS/SSL protocol and configuration settings should
provide the capability to choose with fine grained precision the cipher
suites allowed. Cipher suites are arranged to note export/weak (?? or key
settings / 40-56 bit ciphers), medium (?? ./ 128 bit ciphers) and strong (??
/ 256 bit ciphers). 


High Robustness

Requires the use of latest version of the TLS/SSL protocol and connections
must use cipher suites that fit into the strong category. 


Medium Robustness

Use of TLS/SSL protocol that is 1 version behind the latest TLS/SSL
definition and uses ciphers in medium or strong category


Low Robustness

Use of a TLS/SSL protocol and cipher settings that do not fit into medium or
high robustness categories. 


or something like this


Bill D.




Received on Tuesday, 8 January 2008 19:11:14 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:20 UTC