---- Original Message ----- From: "Tim Moses" <tim.mo...@entrust.com> To: "t.petch" <ie...@btconnect.com> Cc: "Rick Andrews" <rick_andr...@symantec.com>; <wpkops@ietf.org> Sent: Wednesday, November 27, 2013 1:20 PM Subject: Re: [wpkops] Early draft of vendor questionnaire
Tom. These are good points. They relate more to the TLS stack than the PKI. But, they are relevant for all that. Can you provide specific questions? Tim Yes, my thoughts have a TLS bias but that is what I got from reading the document! And I find the document quite large already and am reluctant to add more to it without removing something. I think that Server Q1 is inappropriate for two reasons. 1) Different versions of eg Windows Server have very different capabilities and I would think it verging on the impossible to fill this in for the different versions. Rather, people should be invited to fill in a separate questionnaire for each version. And it is the vendor who knows what makes sense as a version, thus, as I recall, Windows Vista is the same as 2008R1, but 2008R2 is the same as 7 ie it is the underlying SChannel that matters, not the terms that might be used in marketing. 2) Many, if not most organisations, will not disclose market share and might stop and go no further - such data is often available but from other sources such as Universities and large web sites, not from vendors. And a second substantial point is Server Q2 which I find misguided - yes you want to know what is supported but I think that this should be in terms of TLS ciphersuites - after all, Q8 does not ask what versions of SSH are in use! And my third substantial point is Server Q8 which I think fundamental, and which should come earlier, perhaps second (assuming that the emphasis on TLS is correct); and it is a complex question, it is really about the negotiation that takes place to find a version acceptable to client and server which in turn affects the available ciphersuites and so on. I am not sure how to rephrase this question and will think some more. Tom Petch All the best. Tim. > On Nov 27, 2013, at 6:09 AM, "t.petch" <ie...@btconnect.com> wrote: > > Complicated:-( Perhaps there is a danger of losing the wood for the > trees. > > Thus, I think of TLS in terms of cipher suites and think that software > vendors would too; the mix and match approach of algorithms in 2) (where > is RC4 or AEAD or AES-GCM?) seems likely to produce the wrong answers. > > I also think of TLS in terms of versions, of which there are two values > that appear separately in setting up a TLS connection, and many software > vendors would appear not to understand what the specification says in > that regard and so are in breach of it. Fallback attacks derived > therefrom are a significant part of using TLS. > > And then there is Key Usage; some check, other do not. > > And the hot topic of three years ago was Renego and support for it; > still significant today. Links into fallback attacks. > > While a running sore is where does the software get its identifier from; > this document keeps talking of DN (I wonder how common that is). > RFC6125 should probably be in there somewhere. > > And the treatment of user certs (I know what Microsoft does and it is > very sensible but suspect that it is unique). > > etc etc > > Tom Petch > > ----- Original Message ----- > From: "Rick Andrews" <rick_andr...@symantec.com> > To: <wpkops@ietf.org> > Sent: Wednesday, November 27, 2013 12:27 AM > > Folks, > > Here's a very early draft, started by Tim with updates from David and > me. I've turned on Track Changes; please feel free to add edits and > comments. > > I'm sure there's many more questions we can ask. Please pile 'em on. > > -Rick > > > > > > > ---------------------------------------------------------------------- -- > -------- > > >> _______________________________________________ >> wpkops mailing list >> wpkops@ietf.org >> https://www.ietf.org/mailman/listinfo/wpkops > > > _______________________________________________ > wpkops mailing list > wpkops@ietf.org > https://www.ietf.org/mailman/listinfo/wpkops _______________________________________________ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops
