Re: [TLS] Still missing: TLS_ECDH_anon_WITH_AES_xxx_GCM_SHAxxx

To: "<tls%ietf.org@localhost>" <tls%ietf.org@localhost>, "ietf-ssh%netbsd.org@localhost" <ietf-ssh%netbsd.org@localhost>
Subject: Re: [TLS] Still missing: TLS_ECDH_anon_WITH_AES_xxx_GCM_SHAxxx
From: Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>
Date: Thu, 13 Mar 2014 23:01:26 +0000

Alyssa Rowan <akr%akr.io@localhost> writes:

>Can we perhaps make that a SHOULD NOT (or even a MUST NOT), if it somehow
>isn't already? It's way too common in the wild, and it really is next to
>useless practice from the same kind of wilful carelessness that brought the
>world so many default/engineering/field service passwords/backdoors.

I doubt it'll make any difference, those who would read and follow the RFC on
this point won't be using insecure certs/keys anyway, and those who are using
them will ignore (or not even read to that point) the RFC.  I've heard this
sort of thing referred to in the past as "workgroup posturing", and that's
unfortunately what it'll be...

Peter.

Prev by Date: Re: [TLS] Still missing: TLS_ECDH_anon_WITH_AES_xxx_GCM_SHAxxx
Next by Date: Protocol ambiguity: want_reply vs CHANNEL_CLOSE
Previous by Thread: Re: [TLS] Still missing: TLS_ECDH_anon_WITH_AES_xxx_GCM_SHAxxx
Next by Thread: Protocol ambiguity: want_reply vs CHANNEL_CLOSE
Indexes:

Home | Main Index | Thread Index | Old Index