- From: Dan Schutzer <dan.schutzer@fstc.org>
- Date: Tue, 8 Jan 2008 14:10:59 -0500
- To: "'Doyle, Bill'" <wdoyle@mitre.org>, <public-wsc-wg@w3.org>
- Message-ID: <004f01c8522a$352dfed0$6700a8c0@dschutzer>
I think there might also be something we might want to say about whether it is using just server certs or client and server certs _____ From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Doyle, Bill Sent: Tuesday, January 08, 2008 12:52 PM To: public-wsc-wg@w3.org Subject: TLS/SSL robustness - high, medium, low A thought is to add another robustness section to define TLS/SSL robustness Robustness of information assurance provided by TLS/SSL is dependant on the version of the protocol and strength of ciphers used. User agents and web servers should have the ability to restrict the use of TLS/SSL to require latest version of the TLS/SSL protocol and configuration settings should provide the capability to choose with fine grained precision the cipher suites allowed. Cipher suites are arranged to note export/weak (?? or key settings / 40-56 bit ciphers), medium (?? ./ 128 bit ciphers) and strong (?? / 256 bit ciphers). High Robustness Requires the use of latest version of the TLS/SSL protocol and connections must use cipher suites that fit into the strong category. Medium Robustness Use of TLS/SSL protocol that is 1 version behind the latest TLS/SSL definition and uses ciphers in medium or strong category Low Robustness Use of a TLS/SSL protocol and cipher settings that do not fit into medium or high robustness categories. or something like this Bill D.
Received on Tuesday, 8 January 2008 19:11:14 UTC