RE: FIPS Capable Ciphers List

Tue, 14 May 2013 19:59:55 -0700 

So the Postfix team finds SMTP servers that support EXPORT and nothing 
stronger?  Wow, I am very surprised.

For those who don't know, "export strength" crypto was a creation of the US 
government in the early 1990's, and the rules were removed in 2000. It's been 
more than a dozen years, it's time to stop supporting it.

        /r$

--  
Principal Security Engineer
Akamai Technology
Cambridge, MA



-----Original Message-----
From: [email protected] [mailto:[email protected]] 
On Behalf Of Viktor Dukhovni
Sent: Tuesday, May 14, 2013 10:51 PM
To: [email protected]
Subject: Re: FIPS Capable Ciphers List

On Tue, May 14, 2013 at 09:42:08PM -0500, Salz, Rich wrote:

> Viktor gave some excellent advice.  I'd tweak it by removing 'export' 
> as something to support.  And perhaps use weak, good, strong -- 
> whatever, keep the number of choices very small. I'd suggest to not 
> use "default" since folks will get upset if it changes. They are more 
> accepting if the definition of 'strong cipher' changes with time. It's 
> curious, but it's the way humans seem to work.

The reason Postfix supports "export" is because it supports an opportunistic 
TLS mode, where we fall back to plain-text if the remote server does not offer 
TLS, or the handshake fails.

So the "export" grade is default for opportunistic connections, since even 
"export" is somewhat better than plain-text.

With mandatory TLS destinations the default cipher grade is "medium".

The actual design has to match the constraints and requirements of the 
particular application as well as usability considerations.

> The openssl cipher spec is pretty darn subtle and it is far too easy 
> to get wrong.

Excellent one sentence summary.

-- 
        VIktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [email protected]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [email protected]

Reply via email to