<inline> Tom Petch ----- Original Message ----- From: "Rainer Gerhards" <[EMAIL PROTECTED]> To: "Miao Fuyou" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Thursday, November 23, 2006 8:47 AM Subject: RE: [Syslog] Updated Syslog-tls Document
Hi Miao, <inline> Rainer <snip> > > > - cipher suites and such are left to the operator. We should > > indicate the (serious) consequences of this selection > > > > --------------------------------------------- > > One note on the cipher suites: > > I know there has been some discussion previously, but I > > wasn't able to find the post in question in the archive. > > Probably you can help me out. > > > > Question: how do we guarantee a minimum interoperability of > > implementations of this document if we do not specify any > > cipher suite? > > > > Tom and I discussed this issue on the mailing list. TLS > protocol has its > mandatory suite (TLS_RSA_WITH_3DES_EDE_CBC_SHA), and TLS > specification says > that if application profile(syslog-tls in this case) does not > specify a > mandatory cipher suite, TLS mandatory suite will apply. So, no need to > specify one in this specification. Ahh... that was the message I did not find in the archive. Thanks for bringing it up again. That obiously solves the interop problem. However, I am still of the view that we should advise operators to use strong suites in the security considerations section. <tp> I raised it because I wanted a cipher suite spelt out in the I-D rather then leaving it as an exercise in ingenuity for the reader to find where it is specified. The pro and con of not specifying it in our I-D is that as the views in the security community change (and some would regard the default as too weak - eg US government) so the mandatory to implement is changed for us without us noticing. Tom Petch ___ ____________________________________________ Syslog mailing list Syslog@lists.ietf.org https://www1.ietf.org/mailman/listinfo/syslog _______________________________________________ Syslog mailing list Syslog@lists.ietf.org https://www1.ietf.org/mailman/listinfo/syslog
