[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (MQTT-425) Delete references to DES and discuss CHACHA20
[ https://issues.oasis-open.org/browse/MQTT-425?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=65759#comment-65759 ]
Stefan Hagen commented on MQTT-425:
-----------------------------------
I second Ken's idea of removing the section 5 "Security" and amend to instead offer a real world "Securing MQTT" non-standards track Committee Note document instead.
This has two benefits:
1) Removing the security section from the normative (resistant to change!) spec does become
neither outdated
nor over-simplifies "too low security levels)
nor enforces incompatibilities by "too high security levels"
2) We can adjust the
perspective with possibly a few stringent sample topologies,
volume of offering advice e.g. on selection of algorithms, key strengths
and react in short publication cycles on only future known threats and exploits,
all these fostering the needs of readers with practical real problems
Another one big advantage of providing a best practice perspective Committee Note would be, to provide such information in adequate formulation to aid small and large organizations alike in providing a secure MQTT service - be it client or server.
The 3.1.1 situation in that regard is to me quite esoteric and appears to be rather useless IMO.
I hereby offer acting as one editor for such a non-normative Committee Note "Securing MQTT" that replaces the current section 5 "Security".
> Delete references to DES and discuss CHACHA20
> ---------------------------------------------
>
> Key: MQTT-425
> URL: https://issues.oasis-open.org/browse/MQTT-425
> Project: OASIS Message Queuing Telemetry Transport (MQTT) TC
> Issue Type: Improvement
> Components: core
> Affects Versions: 5
> Reporter: Ken Borgendale
>
> The security section 5 has a reference to AES and DES as cipher suites for mobile and embedded devices. The current recommendation for security is to totally disable all DES based ciphers including 3DES.
> The new cipher suite which is designed for use in less powerful devices is CHACHA20 which has equivalent encryption to AES but is faster to encrypt on processors without hardware support. The downside for now is that a lot of servers do not support it.
> I would actually like to remove section 5 as I think it is orthogonal to the MQTT specification, and highly prone to become outdated. However, if we decide to keep it we should keep it up to date at least at the time we release the specification.
--
This message was sent by Atlassian JIRA
(v6.2.2#6258)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]