[Ach] 8.5.1 key exchange -- feedback, please!

L. Aaron Kaplan kaplan at cert.at
Wed Nov 20 22:09:56 CET 2013 

On Nov 20, 2013, at 6:36 PM, Aaron Zauner <azet at azet.org> wrote:

> 
> On 20 Nov 2013, at 17:56, christian mock <cm at coretec.at> wrote:
> 
>> On Wed, Nov 20, 2013 at 03:23:16PM +0100, Adi Kriegisch wrote:
>>> Hi!
>>> 
>>> I just started with the section about choosing your own cipher suite. The
>>> idea is to first explain key exchange, authentication, encryption and
>>> message authentication a little and give hints about good/bad algorithms.
>>> 
>>> Then move on to discuss how to select -- based on that knowledge -- cipher
>>> suites in openssl syntax and what limitations a user/sysadmin may have to
>>> deal with.
>>> 
>>> How do you like this structure? ...the content of section 8.5.1? ...and the
>>> layout of that section?
>> 
>> regarding the
>> 
>> TODO: Team: do we need references for all cipher suites considered weak?
> 
> I think we should include such references!
> 

Please take a look at section 8.3 "Known insecure and weak cipher suites".
This is quite important. Before that section we described our recommendations.
After that section, we explain to to chose your own cipher string.

So, yeah, the reader should know what to avoid.

At the last meeting Philipp wanted to write that section.
Will you get around to doing that?
Should we just start?

>> 
>> What about a single reference indicating that key lengths <112 (or
>> whatever) are considered evil?
>> 
>> The "key exchange" section looks complete, but it needs much more
>> clarity, especially since this is very complicated. And what does the
>> colorful table show? ;-)
>> 
>> cm.
>> 
>> 
>> -- 
>> Christian Mock                          Wiedner Hauptstr. 15
>> Senior Security Engineer                1040 Wien
>> CoreTEC IT Security Solutions GmbH      +43-1-5037273
>> FN 214709 z
>> 
>> .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
>> CoreTEC: Web Application Audit - Damit so etwas nicht passiert!
>> 
>> http://heise.de/-1260559
>> 
>> .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
>> _______________________________________________
>> Ach mailing list
>> Ach at lists.cert.at
>> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
> 
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach

--- 
// L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
// CERT Austria - http://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131120/3cc0836f/attachment.sig>

More information about the Ach mailing list