- From: Doyle, Bill <wdoyle@mitre.org>
- Date: Tue, 8 Jan 2008 16:26:55 -0500
- To: "Ian Fette" <ifette@google.com>, "Michael Versace" <michael.versace@fstc.org>
- Cc: "Dan Schutzer" <dan.schutzer@fstc.org>, <public-wsc-wg@w3.org>
- Message-ID: <518C60F36D5DBC489E91563736BA4B5801D36C52@IMCSRV5.MITRE.ORG>
Robust meaning "going to work" Google DoD instruction 8500.2 and search for high robustness Thinking it is guidance on configuration settings.Apache already allows this type of configuration for TLS/SSL - how this thread started Can break out certs to the same - type of cert can break out validation processes of certs high IA robustness uses the best of all ________________________________ From: Ian Fette [mailto:ifette@google.com] Sent: Tuesday, January 08, 2008 3:36 PM To: Michael Versace Cc: Dan Schutzer; Doyle, Bill; public-wsc-wg@w3.org Subject: Re: TLS/SSL robustness - high, medium, low I am worried about how we use this. Are we expecting there to be some option somewhere where users choose "I want SSL to be mildly robust, more robust, or totally robust"? Because that seems like a bad path to go down to me. Also, calling "strong" interactions "robust" seems confusing me to me, because I think of robust as meaning it's going to work. I.e. I would say the method that falls back to older protocol versions / cipher suites would be robust. So I'm a bit worried that this terminology might confuse others. On Jan 8, 2008 12:05 PM, Michael Versace < michael.versace@fstc.org> wrote: We should not only consider protocol version and cipher strength, but also the validation methods used to determine if certificates are in a current state of membership. From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Dan Schutzer Sent: Tuesday, January 08, 2008 2:11 PM To: 'Doyle, Bill'; public-wsc-wg@w3.org Subject: RE: TLS/SSL robustness - high, medium, low I think there might also be something we might want to say about whether it is using just server certs or client and server certs ________________________________ From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Doyle, Bill Sent: Tuesday, January 08, 2008 12:52 PM To: public-wsc-wg@w3.org Subject: TLS/SSL robustness - high, medium, low A thought is to add another robustness section to define TLS/SSL robustness Robustness of information assurance provided by TLS/SSL is dependant on the version of the protocol and strength of ciphers used. User agents and web servers should have the ability to restrict the use of TLS/SSL to require latest version of the TLS/SSL protocol and configuration settings should provide the capability to choose with fine grained precision the cipher suites allowed. Cipher suites are arranged to note export/weak (?? or key settings / 40-56 bit ciphers), medium (?? ./ 128 bit ciphers) and strong (?? / 256 bit ciphers). High Robustness Requires the use of latest version of the TLS/SSL protocol and connections must use cipher suites that fit into the strong category. Medium Robustness Use of TLS/SSL protocol that is 1 version behind the latest TLS/SSL definition and uses ciphers in medium or strong category Low Robustness Use of a TLS/SSL protocol and cipher settings that do not fit into medium or high robustness categories. or something like this Bill D.
Received on Tuesday, 8 January 2008 21:27:02 UTC