Re: [Isms] SNMP over (D)TLS draft available for review
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Isms] SNMP over (D)TLS draft available for review
On Thu, Oct 29, 2009 at 1:20 AM, Wes Hardaker <wjhns1 at hardakers.net> wrote:
>>>>>> On Wed, 28 Oct 2009 14:58:51 +0900, Hamid Mukhtar <hamid.mukhtar at gmail.com> said:
>
>>> the NULL integrity and encryption algorithms MUST NOT be used to fulfill
>>> security level requests for authentication or privacy.
>>> Implementations MAY choose to force (D)TLS to only allow
>>> cipher_suites that provide both authentication and privacy to
>>> guarantee this assertion.
>
> HM> IMO the requirement, as stated currently, may have to be changed to
> HM> consider authentication-only cipher suites (with no encryption)
> HM> [RFC4785].
>
> First, thanks for reviewing the text.
>
> The intent of that text is to allow for the following combinations:
>
> | | noAuthNoPriv | authNoPriv | authPriv |
> | Authentication | NULL | something* | something |
> | Encryption | NULL | NULL | something |
>
> But to explicitly disallow:
>
> | | noAuthNoPriv | authNoPriv | authPriv |
> | Authentication | | NULL | NULL |
> | Encryption | | | NULL |
>
> So the text is not intended to prohibit what you're describing.
> Functionally what you want is the * above (in the allowed table), where
> the authentication algorithm is not NULL. The actual algorithm would
> be an authenticating encryption algorithm, but since it's doing
> authentication it's functionally acting "in that slot".
>
> So, I don't think the intent of the text needs to change but if the
> wording is unclear then the text should be updated to make it explicitly
> clear.
Yes, the wording might cause confusion. I think its better to be more explicit.
> --
> Wes Hardaker
> Cobham Analytic Solutions
>
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
