RE: Issue 282: cipher suites, discussion needed

["Joseph Salowey (jsalowey)" <jsalowey@cisco.com>]

You could just leave this to the TLS specification.  For version 1.0 and 1.1 it is TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA and for 1.2 it is TLS_RSA_WITH_AES_128_CBC_SHA.   If it is common today for implementations also to implement the RC4 ciphers you can have that as a recommendation as well.  Something like:

"RADSEC implementation MUST support he mandatory to implement cipher suites specified in TLS.  For purposes of compatibility with some current deployments implementations SHOULD support TLS_RSA_WITH_RC4_128_SHA as well." 

Cheers,

Joe 

> -----Original Message-----
> From: Stefan Winter [mailto:stefan.winter@restena.lu] 
> Sent: Wednesday, February 11, 2009 1:13 AM
> To: Joseph Salowey (jsalowey)
> Cc: radiusext@ops.ietf.org
> Subject: Issue 282: cipher suites, discussion needed
> 
> Hi,
> 
> > 3.  I'm not sure I understand the choice of ciphersuites.
> >
> > Why is TLS_RSA_WITH_RC4_128_SHA recommended?  It seems that 
> it would 
> > be much preferable to use AES or 3DES?
> >   
> 
> I could use a little help here. Is there anyone willing to 
> investigate cipher suite selection? An alternative would be 
> to follow the path of e.g. the EAP tunnel reqs, which cite 
> NIST references for acceptable cipher suites...
> 
> Greetings,
> 
> Stefan Winter
> 
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education 
> Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
> 
> Tel: +352 424409 1
> Fax: +352 422473
> 
> 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>