ACTION-321 cipher suite strength from Doyle, Bill on 2007-11-14 (public-wsc-wg@w3.org from November 2007)

From: Doyle, Bill <wdoyle@mitre.org>
Date: Wed, 14 Nov 2007 10:34:53 -0500
To: "Doyle, Bill" <wdoyle@mitre.org>, <public-wsc-wg@w3.org>
Message-ID: <518C60F36D5DBC489E91563736BA4B5801C31FD6@IMCSRV5.MITRE.ORG>

current thoughts on this action item - defining cipher suite strength.
Although I did find some international standards documents (ISO) that
noted cipher suites, the WSC endorses the use of HTTPs - IETF TLS to
provide security so...
 
 
The WSC WG relies on the current IETF TLS protocol definition in order
to provide adequate protection of users' privacy data when data is
exchanged between a user agent and web server. WSC defines
configuration of the TLS protocol below in a manner that allows for
broad industry acceptance and keeps pace with changes in industry and
demands of security requirements of users and providers in a web
enabled environment. 

 

The ability to protect privacy data between a user agent and web server
is in part determined by the strength and capabilities of the TLS
protocol and underlying cryptographic mechanisms. The TLS protocol is
versioned to keep pace with protocol features and the cipher suites
that are available to the community. The requirements of the TLS
protocol are constantly changing a link to the latest version of the
TLS protocol is included here noted as IETF RFC 4346
http://www.ietf.org/rfc/rfc4346.txt
<BLOCKED::http://www.ietf.org/rfc/rfc4346.txt> . 

 

Since the TLS protocol specification is a moving target, the TLS
protocol has the ability to restrict connections to older versions of
the protocol. Protocol versioning has the added benefit of restricting
use of older and weaker cipher suites that are incorporated into older
protocol specifications. WSC notes that the latest version of the TLS
protocol and the strongest cipher suites SHOULD be used when HTTPs is
established, securing data that is exchanged between user agent and web
server and the connection MUST not allow the use of a version of the
TLS protocol that is more than one version behind the latest version of
TLS.

 

TLS is the protocol standard used in web enabled environments.  New
versions of the protocol come out, cipher suites are added and it is a
non Gov industry standard.

 

Cheers

Bill D.

Received on Wednesday, 14 November 2007 15:37:08 UTC