On Wed 2016-03-30 15:20:08 -0400, Ilari Liusvaara wrote: > On Wed, Mar 30, 2016 at 12:05:26PM -0400, Daniel Kahn Gillmor wrote: >> On Wed 2016-03-30 11:33:09 -0400, Benjamin Kaduk wrote: >> > I am not sure that we want to be in the business of explicitly marking >> > things as insecure other than our own RFCs, though -- there could be an >> > implication of more review than is actually the case, which is what this >> > proposal is trying to get rid of. >> >> I think i agree with Ben here: if we have a tri-state: >> approved/not-approved/known-bad, then the people will infer that the >> not-approved ciphersuites are better than the known-bad ones, which >> isn't necessarily the case. >> >> I think i'd rather see it stay at "approved/not-approved" > > Then how should ciphersuites with explicit diediedie RFCs (currently > RC4) be presented?
i'd say that they are "not-approved", clearly. :) We don't represent those RFCs in any way at all right now, and yet they seem to have some kind of social impact. I observe that we have a "notes" column in the ciphersuite registry currently, which indicates one or more RFCs related to the ciphersuite in question: https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4 I'm a little disappointed that RFC 7465 ("Prohibiting RC4 ciphersuites") isn't listed in the Notes column for all ciphersuites using RC4. Perhaps that change needs to be made as well? --dkg
signature.asc
Description: PGP signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
