Viktor Dukhovni <postfix-us...@dukhovni.org> writes: > On Sun, Jan 05, 2014 at 06:31:46PM -0500, micah wrote: > >> > Given cipherlist class names: >> > >> > kEECDH - cipher suites that support Ephemeral ECDH key exchange >> > kEDH - cipher suites that support Ephemeral DH key exchange >> >> I'm sorry, but I have no idea what "cipherlist class names" are, would >> you mind clarifying what that is, I tried to search the web for those >> names, but was not able to uncover anything. > > There's nothing to research. I meant to say "cipher suite class names", > and these are not surprisingly names of classes of cipher suites. That > is names you can use in an OpenSSL cipherlist that match multiple cipher > suites.
Ok, thank you for clarifying. > > aNULL - anonymous cipher suites > aRSA - cipher suites with RSA certificate authentication. > eNULL - cipher suites with no encryption > kEECDH - cipher suites with EECDH (ECDHE) key exchange. > AES - cipher suites that use AES payload encryption. > ... > > each of which matches a set of ciphers suites whose elements have > names that correspond to a single combination of algorithms, such as: Yes, I understand this, now that I know what you are referring to. It is true that right now, "kEECDH" is a string you can currently pass to openssl ciphers. However, as the [1] footnote in my original message details, along with the series of patches to openssl: the Openssl input, API and output are being changed so *every* occurrence of EDH and EECDH will be changed to use the standard names DHE and ECDHE. > it makes sense to have matching Postfix names in parameters and > documentation. I completely agree, however it seems we do not agree with the matching names should be. That is precisely why I write this message. The postfix parameter names and documentation should adopt the standardized names that openssl is changing to. As it is written now, the postfix TLS Forward Secrecy Document currently uses the non-standard, proprietary names that are being replaced in Openssl. Changing these names, before postfix is released with these older names, seems like the most prudent thing to do to eliminate confusion. > The best I can offer is to also mention ECDHE in the second bullet under > > http://www.postfix.org/FORWARD_SECRECY_README.html#tls_fs > > where we say that EDH also DHE, but don't say that EECDH is also ECDHE. I understand the desire to transition the old, non-standard names to the new ones, but I think the better thing to do is to replace *all* instances of EDH and EECDH with the standardized names (DHE and EECDH) and simply note the non-standard, proprietary names as an acceptable alternative, but one that is deprecated. micah
pgpDodfdSagdD.pgp
Description: PGP signature
