Re: TLS/SSL robustness - high, medium, low from Ian Fette on 2008-01-08 (public-wsc-wg@w3.org from January 2008)

From: Ian Fette <ifette@google.com>
Date: Tue, 8 Jan 2008 12:35:38 -0800
To: "Michael Versace" <michael.versace@fstc.org>
Cc: "Dan Schutzer" <dan.schutzer@fstc.org>, "Doyle, Bill" <wdoyle@mitre.org>, public-wsc-wg@w3.org
Message-ID: <bbeaa26f0801081235j4497150bwa526c3b645e363a1@mail.gmail.com>

I am worried about how we use this. Are we expecting there to be some option
somewhere where users choose "I want SSL to be mildly robust, more robust,
or totally robust"? Because that seems like a bad path to go down to me.
Also, calling "strong" interactions "robust" seems confusing me to me,
because I think of robust as meaning it's going to work. I.e. I would say
the method that falls back to older protocol versions / cipher suites would
be robust. So I'm a bit worried that this terminology might confuse others.

On Jan 8, 2008 12:05 PM, Michael Versace <michael.versace@fstc.org> wrote:

>   We should not only consider protocol version and cipher strength, but
> also the validation methods used to determine if certificates are in a
> current state of membership.
>
>
>
> *From:* public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
> *On Behalf Of *Dan Schutzer
> *Sent:* Tuesday, January 08, 2008 2:11 PM
> *To:* 'Doyle, Bill'; public-wsc-wg@w3.org
> *Subject:* RE: TLS/SSL robustness - high, medium, low
>
>
>
> I think there might also be something we might want to say about whether
> it is using just server certs or client and server certs
>
>
>  ------------------------------
>
> *From:* public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
> *On Behalf Of *Doyle, Bill
> *Sent:* Tuesday, January 08, 2008 12:52 PM
> *To:* public-wsc-wg@w3.org
> *Subject:* TLS/SSL robustness - high, medium, low
>
>
>
> A thought is to add another robustness section to define TLS/SSL
> robustness
>
>
>
> Robustness of information assurance provided by TLS/SSL is dependant on
> the version of the protocol and strength of ciphers used. User agents and
> web servers should have the ability to restrict the use of TLS/SSL to
> require latest version of the TLS/SSL protocol and configuration settings
> should provide the capability to choose with fine grained precision the
> cipher suites allowed. Cipher suites are arranged to note export/weak (?? or
> key settings / 40-56 bit ciphers), medium (?? ./ 128 bit ciphers) and strong
> (?? / 256 bit ciphers).
>
>
>
> High Robustness
>
> Requires the use of latest version of the TLS/SSL protocol and connections
> must use cipher suites that fit into the strong category.
>
>
>
> Medium Robustness
>
> Use of TLS/SSL protocol that is 1 version behind the latest TLS/SSL
> definition and uses ciphers in medium or strong category
>
>
>
> Low Robustness
>
> Use of a TLS/SSL protocol and cipher settings that do not fit into medium
> or high robustness categories.
>
>
>
> or something like this
>
>
>
> Bill D.
>
>
>
>
>
>
>
>
>
>

Received on Tuesday, 8 January 2008 20:35:50 UTC