|
Yes, in general it's a good idea to acknowledge that TLS implementations need to implement the mandatory-to-implement ciphersuites for the versions they support. With respect to NIST guidance, I'm a bit puzzled (e.g. SP 800-120 seems to imply that the 1.1 mandatory-to-implement ciphersuite is ok, but the 1.2 one is not). > Subject: RE: Issue 282: cipher suites, discussion needed > Date: Mon, 16 Feb 2009 21:48:38 -0800 > From: jsalowey@cisco.com > To: stefan.winter@restena.lu > CC: radiusext@ops.ietf.org > > You could just leave this to the TLS specification. For version 1.0 and 1.1 it is TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA and for 1.2 it is TLS_RSA_WITH_AES_128_CBC_SHA. If it is common today for implementations also to implement the RC4 ciphers you can have that as a recommendation as well. Something like: > > "RADSEC implementation MUST support he mandatory to implement cipher suites specified in TLS. For purposes of compatibility with some current deployments implementations SHOULD support TLS_RSA_WITH_RC4_128_SHA as well." > > Cheers, > > Joe |