On Wed, Sep 16, 2015 at 06:37:21PM -0400, Dave Garrett wrote: > On Wednesday, September 16, 2015 05:38:27 pm Viktor Dukhovni wrote: > > On Wed, Sep 16, 2015 at 03:03:54PM -0400, Dave Garrett wrote: > > > The suggestion that started this thread was to have a "Standard TLS > > > Profile" > > > that actually allowed EXPORT ciphers & SSL3. So yeah, this proposal feels > > > like a suggestion to keep allowance of obsolete junk as the norm with > > > "defensive" as a separate option, because that's what it specifically > > > says. > > > > Object to such a profile, and rather than the idea of profiles. > > There is no need for the TLS WG to define any profiles that include > > SSL3 or EXPORT ciphers. > > That's a fair point, but I don't see the need for a profile once that > stuff is not allowed anywhere. I could accept the notion of a TLS
<mentally splice in long and never-ending debate about opportunistic use of weaker ciphers, so that we don't have physically splice it in here> > strict mode, where it's TLS 1.2 + PFS + AEAD + no > SHA1/DSA/SSL2HELLO/etc. only, but that's not really a "profile" so > much as one paragraph that could be added. Application profiles are > already a thing, so I don't see why we also need a new mechanism here. It's a profile. Call it what you will. The rest of us call this a profile. All the more so when profiles are named in an IANA registry. Applications can then very trivially select an appropriate TLS profile using standard profile naming. > Let me put it this way, I see no way for the WG to reasonably agree on > this without a proposed _set_ of profiles to go with it that we all > could also live with. Just the vague notion of more profiles in > abstract isn't sounding great on its own. We've certainly had a few proposed profiles over time. Your estimation of what the WG would or would not agree to is not as interesting as, you know, actually attempting to get consensus. Nico -- _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
