ietf
[Top] [All Lists]

Re: TLS requirements (Last Call: draft-ietf-atompub-protocol to Proposed Standard)

2007-05-22 11:01:51
On Tue, 22 May 2007, Brian E Carpenter wrote:
On 2007-05-22 07:51, Philip Guenther wrote:
...
We expect application protocols that require TLS to specify a mandatory- -to-implement ciphersuite to guarantee interoperability between clients and servers. How is the TLS version any different? A client that only supports TLS 1.0 will fail at handshake time if the server only supports TLS 1.1. Therefore, if interoperability is the goal, requiring support for a specific version is necessary.

Since as you point out, TLS has version negotiation, don't you mean
"support for at least one specific version is necessary"?

That's a clearer version of what I meant, yes. I certainly didn't mean "must _only_ support specific version X.Y".

It would probably be wise to have some canned words for this be provided by true TLS experts to avoid subtle failure modes. IIRC, a client that supports, say, TLS 1.2 and 1.0 but not 1.1 will not interoperate with a server that supports TLS 1.1 and 1.0. The client presumably violates some requirement, perhaps one for common sense, but I don't see it in a quick scan of the RFCs.

("MUST request a version no smaller than X.Y and MUST support all versions between and including that version and X.Y"?)


And presumably
that would be a version whose security is believed to be minimally
adequate, with all earlier versions being forbidden.

Yep. I was about to say "and the same with cipher suites", but the ordering function for cipher suite "security" changes over time. <sigh>


Philip Guenther

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf