RE: TLS/SSL robustness - high, medium, low

We should not only consider protocol version and cipher strength, but also
the validation methods used to determine if certificates are in a current
state of membership.  

 

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On
Behalf Of Dan Schutzer
Sent: Tuesday, January 08, 2008 2:11 PM
To: 'Doyle, Bill'; public-wsc-wg@w3.org
Subject: RE: TLS/SSL robustness - high, medium, low

 

I think there might also be something we might want to say about whether it
is using just server certs or client and server certs

 

  _____  

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On
Behalf Of Doyle, Bill
Sent: Tuesday, January 08, 2008 12:52 PM
To: public-wsc-wg@w3.org
Subject: TLS/SSL robustness - high, medium, low

 

A thought is to add another robustness section to define TLS/SSL robustness

 

Robustness of information assurance provided by TLS/SSL is dependant on the
version of the protocol and strength of ciphers used. User agents and web
servers should have the ability to restrict the use of TLS/SSL to require
latest version of the TLS/SSL protocol and configuration settings should
provide the capability to choose with fine grained precision the cipher
suites allowed. Cipher suites are arranged to note export/weak (?? or key
settings / 40-56 bit ciphers), medium (?? ./ 128 bit ciphers) and strong (??
/ 256 bit ciphers). 

 

High Robustness

Requires the use of latest version of the TLS/SSL protocol and connections
must use cipher suites that fit into the strong category. 

 

Medium Robustness

Use of TLS/SSL protocol that is 1 version behind the latest TLS/SSL
definition and uses ciphers in medium or strong category

 

Low Robustness

Use of a TLS/SSL protocol and cipher settings that do not fit into medium or
high robustness categories. 

 

or something like this

 

Bill D.