Hi, It looks good. I tend to add some sentences like the one Rainer proposed. Any objection?
Thanks, Miao > -----Original Message----- > From: Rainer Gerhards [mailto:[EMAIL PROTECTED] > Sent: Friday, November 24, 2006 3:16 PM > To: Miao Fuyou; tom.petch; [EMAIL PROTECTED] > Subject: RE: Ciphersuites Re: [Syslog] Updated Syslog-tls Document > > Tom, Miao, > > might it be a compromise to add a sentence to -transport-tls > that tells an implementor to look for mandatory to implement > suites inside the TLS document. Something like > > "Minimum Interoperability between different implementations > of this specification is achieved via the mandatory to > implement cipher suites specified in <tls-rfc>." > > That would be a reminder that might be helpful. > > Rainer > > > -----Original Message----- > > From: Miao Fuyou [mailto:[EMAIL PROTECTED] > > Sent: Friday, November 24, 2006 4:04 AM > > To: 'tom.petch'; Rainer Gerhards; [EMAIL PROTECTED] > > Subject: RE: Ciphersuites Re: [Syslog] Updated Syslog-tls Document > > > > > > My observation about ciphersuite: > > 1, TLS wg can do a better job on ciphersuite selection than > a profile > > developer. > > 2, TLS specification will be updated if the mandatory cipher is too > > weak to provide appropriate protection, but > profile-specific suite may > > not be updated accordingly. > > 3, Before TLS mandate a stronger cipher suite, > > TLS_RSA_WITH_3DES_EDE_CBC_SHA is strong enough for most syslog > > application. If a operator want a stronger cipher suite for highly > > sensitive syslog application, he still has the freedom to > specify one, > > mandatory cipher suite is only MUST to implementer rather than > > operator. > > > > So, my view is ciphersuite is not neccessary to be defined in this > > specification, and it is not good to specify in this specification. > > > > Thanks, > > Miao > > > > > > > > Tom and I discussed this issue on the mailing list. TLS > > > protocol has > > > > its mandatory suite (TLS_RSA_WITH_3DES_EDE_CBC_SHA), and TLS > > > > specification says that if application > profile(syslog-tls in this > > > > case) does not specify a mandatory cipher suite, TLS > > > mandatory suite > > > > will apply. So, no need to specify one in this specification. > > > > > > Ahh... that was the message I did not find in the archive. > > > Thanks for bringing it up again. That obiously solves the interop > > > problem. However, I am still of the view that we should advise > > > operators to use strong suites in the security considerations > > > section. > > > > > > <tp> > > > > > > I raised it because I wanted a cipher suite spelt out in the I-D > > > rather then leaving it as an exercise in ingenuity for > the reader to > > > find where it is specified. The pro and con of not > specifying it in > > > our I-D is that as the views in the security community > change (and > > > some would regard the default as too weak - eg US > government) so the > > > mandatory to implement is changed for us without us noticing. > > > > > > Tom Petch > > > > > > ___ > > > > > > > _______________________________________________ Syslog mailing list Syslog@lists.ietf.org https://www1.ietf.org/mailman/listinfo/syslog
