- From: Doyle, Bill <wdoyle@mitre.org>
- Date: Mon, 14 Jul 2008 14:51:43 -0400
- To: "Thomas Roessler" <tlr@w3.org>
- Cc: <stephen.farrell@cs.tcd.ie>, <pbaker@verisign.com>, <johnath@mozilla.com>, <yngve@opera.com>, <public-wsc-wg@w3.org>
This is really quite late response but in looking at
Network Working Group T.
Dierks
Request for Comments: 4346
Independent
Obsoletes: 2246 E.
Rescorla
Category: Standards Track RTFM,
Inc.
April
2006
The Transport Layer Security (TLS) Protocol
Version 1.1
Appendix 5 notes ciphersuite definitions that are not considered secure
http://tools.ietf.org/html/rfc4346#appendix-A.5
-----Original Message-----
From: Thomas Roessler [mailto:tlr@w3.org]
Sent: Wednesday, June 11, 2008 2:08 PM
To: Doyle, Bill
Cc: stephen.farrell@cs.tcd.ie; pbaker@verisign.com;
johnath@mozilla.com; yngve@opera.com; public-wsc-wg@w3.org
Subject: Re: ACTION-426: strong and weak TLS algorithms
(incorporateISSUE-128text)
For context:
http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#def-strong-algos
On 2008-06-11 13:46:06 -0400, Bill Doyle wrote:
> I like it -
Thanks.
> SSLv3 is deprecated - supported ciphers are no longer strong enough,
> industry moves forward.
I'm happy to add this one to the list of things that you really must
not consider strong. Which brings me to another point: It's
probably worth using RFC 2119 verbiage when we enumerate what's
considered weak or strong. I've made that change in the latest
version, and would actually be tempted to change this further to say
that:
SSLv3 SHOULD NOT be considered strong.
I also wonder if it's worth saying a word about MD5-based certs.
> Is the IETF grouping ciphers in a way that enables weak ciphers to be
> noted? Export grade is easy, not sure about others.
Not that I'd know.
Cheers,
--
Thomas Roessler, W3C <tlr@w3.org>
Received on Monday, 14 July 2008 18:52:42 UTC