[Ach] 8.5.1 key exchange -- feedback, please!
azet at azet.org
Thu Nov 21 06:52:40 CET 2013
On 20 Nov 2013, at 22:09, L. Aaron Kaplan <kaplan at cert.at> wrote:
> On Nov 20, 2013, at 6:36 PM, Aaron Zauner <azet at azet.org> wrote:
>> On 20 Nov 2013, at 17:56, christian mock <cm at coretec.at> wrote:
>>> On Wed, Nov 20, 2013 at 03:23:16PM +0100, Adi Kriegisch wrote:
>>>> I just started with the section about choosing your own cipher suite. The
>>>> idea is to first explain key exchange, authentication, encryption and
>>>> message authentication a little and give hints about good/bad algorithms.
>>>> Then move on to discuss how to select -- based on that knowledge -- cipher
>>>> suites in openssl syntax and what limitations a user/sysadmin may have to
>>>> deal with.
>>>> How do you like this structure? ...the content of section 8.5.1? ...and the
>>>> layout of that section?
>>> regarding the
>>> TODO: Team: do we need references for all cipher suites considered weak?
>> I think we should include such references!
> Please take a look at section 8.3 "Known insecure and weak cipher suites".
> This is quite important. Before that section we described our recommendations.
> After that section, we explain to to chose your own cipher string.
I currently can’t find time to do that all by myself - I’ll have more time next week when I’m back on evenings and during the weekend.
BTW: I added ‘sslyze’ to the tools section. so please pull.
> So, yeah, the reader should know what to avoid.
> At the last meeting Philipp wanted to write that section.
> Will you get around to doing that?
> Should we just start?
>>> What about a single reference indicating that key lengths <112 (or
>>> whatever) are considered evil?
>>> The "key exchange" section looks complete, but it needs much more
>>> clarity, especially since this is very complicated. And what does the
>>> colorful table show? ;-)
>>> Christian Mock Wiedner Hauptstr. 15
>>> Senior Security Engineer 1040 Wien
>>> CoreTEC IT Security Solutions GmbH +43-1-5037273
>>> FN 214709 z
>>> CoreTEC: Web Application Audit - Damit so etwas nicht passiert!
>>> Ach mailing list
>>> Ach at lists.cert.at
>> Ach mailing list
>> Ach at lists.cert.at
> // L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
> // CERT Austria - http://www.cert.at/
> // Eine Initiative der nic.at GmbH - http://www.nic.at/
> // Firmenbuchnummer 172568b, LG Salzburg
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1091 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the Ach