Re: [TLS] Security today

To: tls at ietf.org
Subject: Re: [TLS] Security today
From: Mike <mike-list at pobox.com>
Date: Sat, 29 Mar 2008 10:15:25 -0700
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <20080329165734.252F71CCCAD at kilo.rtfm.com>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <47EC2A75.2050303 at pobox.com> <8E5D6D9B-C7CC-4687-9BD5-586856D3A9C7 at checkpoint.com> <47ED921E.9050305 at pobox.com> <E52894BF-D52F-464F-8E61-23335E93A3FF at checkpoint.com> <47EE70BB.3000205 at pobox.com> <20080329165734.252F71CCCAD at kilo.rtfm.com>
Sender: tls-bounces at ietf.org
User-agent: Thunderbird 2.0.0.12 (Windows/20080213)

> 3. The major servers support ephemeral DH, as do many clients.

This is where you are wrong.  Here is a list of servers that will
not negotiate DHE_RSA with any of AES128, AES256, or DES3:

   www.bankofamerica.com
   www.wellsfargo.com
   www.citibank.com
   www.americanexpress.com
   www.visa.com
   www.mastercard.com
   www.discovercard.com
   www.amazon.com
   www.apple.com
   www.microsoft.com
   www.ibm.com
   www.verisign.com
   www.godaddy.com
   www.equifax.com

There are only a few that I just tried that do:

   www.paypal.com
   www.entrust.com
   www.thawte.com

> You should of course feel free to write an advocacy piece somewhere
> about how people really should use DHE, but that's not really
> something appropriate for the TLS WG to take on.

Ok, I guess that is what I will have to do.  I disagree that the
TLS WG can just write a spec and then they're done.  Any company
with a complex product (and the spec is a product of sorts) writes
whitepapers, and even sends experts to customer sites to make sure
it is installed properly.  Clearly we can't do the latter, but a
whitepaper is certainly doable (and needed!).

Mike
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Security today
  - From: Eric Rescorla

References:
- [TLS] Security today
  - From: Mike
- Re: [TLS] Security today
  - From: Yoav Nir
- Re: [TLS] Security today
  - From: Mike
- Re: [TLS] Security today
  - From: Yoav Nir
- Re: [TLS] Security today
  - From: Mike
- Re: [TLS] Security today
  - From: Eric Rescorla

Prev by Date: Re: [TLS] Security today
Next by Date: Re: [TLS] Security today
Previous by thread: Re: [TLS] Security today
Next by thread: Re: [TLS] Security today
Index(es):
- Date
- Thread

Re: [TLS] Security today

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.