[cabfpub] Updated Agenda for F2F Meeting 33

Rick Andrews Rick_Andrews at symantec.com
Mon Sep 15 18:12:10 MST 2014


The TLS working group and others at the IETF are debating which new algorithms to support in TLS. I don't think we have the expertise to tackle such questions in the CABF. 

-Rick

> On Sep 15, 2014, at 11:56 PM, "Erwann Abalea" <erwann.abalea at opentrust.com> wrote:
> 
> Le 15/09/2014 17:08, Håvard Molland a écrit :
>>> On 15. sep. 2014 15:51, Erwann Abalea wrote:
>>> Le 15/09/2014 13:16, Håvard Molland a écrit :
>>>>> On 15. sep. 2014 11:15, Erwann Abalea wrote:
>>>>> [SM2/SM3 adoption]
>>>> 
>>>> Any new algorithm should offer improvements on the existing algorithms, such as improved security, new security features or speed. I'm not sure we should add new algorithms simply for the sake of being alternatives.
>>> 
>>> I agree, that's what SHOULD drive the inclusion of algorithms or parameters. Based on that, the CABF SHOULD NOT discuss about approval of these new things (not yet)
>>> 
>>> Others MAY think differently, such as Russia, where GOST-approved algorithms are mandatory
>> You mean it's mandatory for servers to offer GOST? Surely they can't demand browser support?
> 
> I mean it's mandatory for everyone to do GOST-* stuff. DNSSEC, TLS, ... You can think it's stupid (I do).
> Support for DNSSEC is present in RFC5933, support for TLS is drafted in draft-chudov-cryptopro-cptls-04. There was some work on NSS, I think OpenSSL works (with the GOST engine?), I don't know if Opera/Apple/MS supports this.
> Mandatory is weak here; the .ru zone isn't GOST-* signed, I can't find a GOST-* signed certificate, everyone seems to be happy with the current situation.
> 
>>> . And we DO see GOST-approved hash algorithms used in OCSP requests (to produce the issuerNameHash and issuerKeyHash). Now.
>>> 
>>> What if China mandates the use of their own algorithms?
>> If every regime wants their own ciphers, it will be impossible to manage. Instead of adding a new cipher suit per country/regime, the list should consist of relatively few ciphers everyone could agree on. Hopefully the current ciphers would be such a list, although it might be a bit US centric.  This discussion is a bit to big for CA/B forum alone though.
> 
> China is a bigger market than Russia is. That could make a difference. (insert sad face)
> Anyway, it's too early to discuss at CABF.
> 
> -- 
> Erwann ABALEA
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public


More information about the Public mailing list