On 16/09/15 12:18, Peter Gutmann wrote: > Stephen Farrell <stephen.farr...@cs.tcd.ie> writes: > >> We have BCP195 [1] that aims for the "general" case (for up to TLS1.2) and a >> draft [2] (current in IESG evaluation) for the embedded case. Are those the >> kind of thing you're after? > > Sort of, but since they're not part of the TLS spec they essentially don't > exist (I've never seen then quoted, cited, or referenced in any third-party > standard that deals with TLS).
I'm not sure how to process that comment. You ask for X, I ask is Y==X and your answer is that Y doesn't exist? Seems odd. ;-) Anyway, so far 5 RFCs reference BCP195. [1] I'd say that'll grow over time. Hopefully folks implementing will find it useful too and not only those writing RFCs that need TLS, but I guess we'll see over time if BCP195 got it right or not. [1] http://www.arkko.com/tools/allstats/citations-rfc7525.html > > Another problem is that they're defined as a large collection of (often rather > waffly) "don't do this" comments, so as a somewhat wooly blacklist rather than > a clear whitelist. So the BCPs aren't really a profile but more like 20-30 > pages of hand-wringing. Feel free to collect a bunch of your own emails (hand-wringing or not:-) and shoot those out as an I-D. > An actual profile of TLS would be something like MUST TLS 1.1 or above, MUST > PFS suites, MUST AES and SHA256, MUST E-then-M (and by implication what isn't > explicitly permitted is denied). Yes, life would be lovely if things were so simple. S. > > Peter. > _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
