Re: [Isms] SNMP over (D)TLS draft available for review

To: Hamid Mukhtar <hamid.mukhtar at gmail.com>
Subject: Re: [Isms] SNMP over (D)TLS draft available for review
From: Wes Hardaker <wjhns1 at hardakers.net>
Date: Wed, 28 Oct 2009 09:20:57 -0700
Cc: isms at ietf.org
Delivered-to: isms at core3.amsl.com
In-reply-to: <e9a260f20910272258h572d52c4q7533c85b13e9cc85 at mail.gmail.com> (Hamid Mukhtar's message of "Wed, 28 Oct 2009 14:58:51 +0900")
List-archive: <http://www.ietf.org/mail-archive/web/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
Organization: Sparta
References: <sd7hug30d2.fsf at wjh.hardakers.net> <e9a260f20910272258h572d52c4q7533c85b13e9cc85 at mail.gmail.com>
User-agent: Gnus/5.110011 (No Gnus v0.11) XEmacs/21.4.22 (linux, no MULE)

>>>>> On Wed, 28 Oct 2009 14:58:51 +0900, Hamid Mukhtar <hamid.mukhtar at gmail.com> said:

>> the NULL integrity and encryption algorithms MUST NOT be used to fulfill
>> security level requests for authentication or privacy.
>> Implementations MAY choose to force (D)TLS to only allow
>> cipher_suites that provide both authentication and privacy to
>> guarantee this assertion.

HM> IMO the requirement, as stated currently, may have to be changed to
HM> consider authentication-only cipher suites (with no encryption)
HM> [RFC4785].

First, thanks for reviewing the text.

The intent of that text is to allow for the following combinations:

   |                | noAuthNoPriv | authNoPriv | authPriv  |
   | Authentication | NULL         | something* | something |
   | Encryption     | NULL         | NULL       | something |

But to explicitly disallow:

   |                | noAuthNoPriv | authNoPriv | authPriv |
   | Authentication |              | NULL       | NULL     |
   | Encryption     |              |            | NULL     |
     
So the text is not intended to prohibit what you're describing.
Functionally what you want is the * above (in the allowed table), where
the authentication algorithm is not NULL.  The actual algorithm would
be an authenticating encryption algorithm, but since it's doing
authentication it's functionally acting "in that slot".

So, I don't think the intent of the text needs to change but if the
wording is unclear then the text should be updated to make it explicitly
clear.
-- 
Wes Hardaker
Cobham Analytic Solutions

Follow-Ups:
- Re: [Isms] SNMP over (D)TLS draft available for review
  - From: Hamid Mukhtar

References:
- [Isms] SNMP over (D)TLS draft available for review
  - From: Wes Hardaker
- Re: [Isms] SNMP over (D)TLS draft available for review
  - From: Hamid Mukhtar

Prev by Date: Re: [Isms] SNMP over (D)TLS draft available for review
Next by Date: Re: [Isms] SNMP over (D)TLS draft available for review
Previous by thread: Re: [Isms] SNMP over (D)TLS draft available for review
Next by thread: Re: [Isms] SNMP over (D)TLS draft available for review
Index(es):
- Date
- Thread

Re: [Isms] SNMP over (D)TLS draft available for review

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.