RE: TLS/SSL robustness - high, medium, low from michael.mccormick@wellsfargo.com on 2008-01-08 (public-wsc-wg@w3.org from January 2008)

From: <michael.mccormick@wellsfargo.com>
Date: Tue, 8 Jan 2008 14:38:24 -0600
To: <michael.versace@fstc.org>, <dan.schutzer@fstc.org>, <wdoyle@mitre.org>, <public-wsc-wg@w3.org>
Message-ID: <9D471E876696BE4DA103E939AE64164DB42C09@msgswbmnmsp17.wellsfargo.com>

>From the strawman page scoring algorithm at
http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/PageScore
:
 
*	CA1 = 0 if no SSL/TLS, 5 if server X.509 certificate is
self-signed, 10 if issued from an untrusted root, 15 if from a trusted
root, 20 if it's an Extended Validation (EV) certificate; 

*	CA2 = -5 if server certificate has expired, else 0 

*	CA3 = 0 if no SSL/TLS, (CA2-CA1) if server certificate has been
revoked, 5 if it has not been revoked according to a CRL, 10 if it has
not been revoked according to a successful OCSP call or a valid stapled
OCSP response, (CA2-CA1)/2 if revocation status indeterminate; 

*	TLS1 = 0 if no SSL/TLS, 5 if SSLv1, 10 if SSLv2, 15 if SSLv3 or
TLS 1.0 or higher; 

*	TLS2 = 0 if no SSL/TLS, 5 if null cipher, 15 if AES or Triple
DES (3DES-EDE) with proper key length, 10 for any other cipher suite; 

*	TLS3 = 5 if all resources on the page are https, else 0; 


  _____  

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Michael Versace
Sent: Tuesday, January 08, 2008 2:05 PM
To: 'Dan Schutzer'; 'Doyle, Bill'; public-wsc-wg@w3.org
Subject: RE: TLS/SSL robustness - high, medium, low



We should not only consider protocol version and cipher strength, but
also the validation methods used to determine if certificates are in a
current state of membership.  

 

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Dan Schutzer
Sent: Tuesday, January 08, 2008 2:11 PM
To: 'Doyle, Bill'; public-wsc-wg@w3.org
Subject: RE: TLS/SSL robustness - high, medium, low

 

I think there might also be something we might want to say about whether
it is using just server certs or client and server certs

 

  _____  

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Doyle, Bill
Sent: Tuesday, January 08, 2008 12:52 PM
To: public-wsc-wg@w3.org
Subject: TLS/SSL robustness - high, medium, low

 

A thought is to add another robustness section to define TLS/SSL
robustness

 

Robustness of information assurance provided by TLS/SSL is dependant on
the version of the protocol and strength of ciphers used. User agents
and web servers should have the ability to restrict the use of TLS/SSL
to require latest version of the TLS/SSL protocol and configuration
settings should provide the capability to choose with fine grained
precision the cipher suites allowed. Cipher suites are arranged to note
export/weak (?? or key settings / 40-56 bit ciphers), medium (?? ./ 128
bit ciphers) and strong (?? / 256 bit ciphers). 

 

High Robustness

Requires the use of latest version of the TLS/SSL protocol and
connections must use cipher suites that fit into the strong category. 

 

Medium Robustness

Use of TLS/SSL protocol that is 1 version behind the latest TLS/SSL
definition and uses ciphers in medium or strong category

 

Low Robustness

Use of a TLS/SSL protocol and cipher settings that do not fit into
medium or high robustness categories. 

 

or something like this

 

Bill D.

Received on Tuesday, 8 January 2008 20:38:55 UTC