OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [security-services] TLS & SSL ciphersuite language

Rich Salz wrote:
> 
> Do we know if any of the browsers actually implement 3des?
                           ^^^^^^^^
> 
> > So, since we're operating in OASIS rather than the IETF, I suggest we specify
> > the following TLS and SSL ciphersuites as MTI..
> >
> >     TLS_RSA_WITH_3DES_EDE_CBC_SHA  (when using TLS)
> >     SSL_RSA_WITH_3DES_EDE_CBC_SHA  (when using SSL)
> 
> The real world is clearly RSA/128-bit RC4.

Ah. Good point, thanks. I presume the ciphersuite you're referring to is..

  TLS_RSA_WITH_RC4_128_SHA

..or is it..

  TLS_RSA_WITH_RC4_128_MD5

?

I was thinking more in the context of "server-to-server" rather than what
deployed browsers might have embedded in them. But in any case, it'd be useful
if we can find documentation to support a decision on MTI ciphersuite for the
"web browser profile of SAML". 

I just poked around my Netscape Communicator 4.73 and all I can find so far is
this piece of text (in the page rendered by "Help > About Communicator...") ...

  This version supports U.S. security
  with RSA Public Key Cryptography,
  MD2, MD5, RC2-CBC, RC4,
  DES-CBC, DES-EDE3-CBC . 

Note "DES-EDE3-CBC" -- I wonder if that's a typo and is meant to actually be
"3DES-EDE-CBC"? I suspect it might be because I've not seen "EDE"
(encrypt-decrypt-encrypt) referred to as "EDE3" before
(http://www.rsa.com/rsalabs/faq/3-2-6.html).  So, Netscape 4.73 might actually
support 3DES-EDE-CBC ?

In any case, I'm happy to say that the "web browser profile of SAML" require
one of the *_RSA_WITH_RC4_128_* ciphersuites rather than
*_RSA_WITH_3DES_EDE_CBC_SHA, if we can substantiate that the former is actually
what is predominantly implemented and deployed. 

I suspect there are intellectual property reasons we'd want to try to lean
towards requiring 3DES rather than RC4 in general, so if it turns out that RC4
is predominant in browsers, I wonder if it'll be worth it to call out a
different MTI ciphersuite, e.g. *_RSA_WITH_3DES_EDE_CBC_SHA, for the SAML SOAP
binding case.

thanks,

JeffH

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC