[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [security-services] TLS & SSL ciphersuite language
Rich Salz wrote: > > Do we know if any of the browsers actually implement 3des? ^^^^^^^^ > > > So, since we're operating in OASIS rather than the IETF, I suggest we specify > > the following TLS and SSL ciphersuites as MTI.. > > > > TLS_RSA_WITH_3DES_EDE_CBC_SHA (when using TLS) > > SSL_RSA_WITH_3DES_EDE_CBC_SHA (when using SSL) > > The real world is clearly RSA/128-bit RC4. Ah. Good point, thanks. I presume the ciphersuite you're referring to is.. TLS_RSA_WITH_RC4_128_SHA ..or is it.. TLS_RSA_WITH_RC4_128_MD5 ? I was thinking more in the context of "server-to-server" rather than what deployed browsers might have embedded in them. But in any case, it'd be useful if we can find documentation to support a decision on MTI ciphersuite for the "web browser profile of SAML". I just poked around my Netscape Communicator 4.73 and all I can find so far is this piece of text (in the page rendered by "Help > About Communicator...") ... This version supports U.S. security with RSA Public Key Cryptography, MD2, MD5, RC2-CBC, RC4, DES-CBC, DES-EDE3-CBC . Note "DES-EDE3-CBC" -- I wonder if that's a typo and is meant to actually be "3DES-EDE-CBC"? I suspect it might be because I've not seen "EDE" (encrypt-decrypt-encrypt) referred to as "EDE3" before (http://www.rsa.com/rsalabs/faq/3-2-6.html). So, Netscape 4.73 might actually support 3DES-EDE-CBC ? In any case, I'm happy to say that the "web browser profile of SAML" require one of the *_RSA_WITH_RC4_128_* ciphersuites rather than *_RSA_WITH_3DES_EDE_CBC_SHA, if we can substantiate that the former is actually what is predominantly implemented and deployed. I suspect there are intellectual property reasons we'd want to try to lean towards requiring 3DES rather than RC4 in general, so if it turns out that RC4 is predominant in browsers, I wonder if it'll be worth it to call out a different MTI ciphersuite, e.g. *_RSA_WITH_3DES_EDE_CBC_SHA, for the SAML SOAP binding case. thanks, JeffH
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC