I am fine with the suggested new text.
Roger >>> "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> 2/7/2006 11:23:38 am >>> The IESG raised some concerns regarding the WG's choice of TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA as LDAP's mandatory-to-implement TLS ciphersuite. It was noted that the TLS 1.1 specification requires TLS_RSA_WITH_3DES_EDE_CBC_SHA where the application protocol doesn't explicitly state a different mandatory-to-implement TLS ciphersuite. For this and likely other reasons, TLS_RSA_WITH_3DES_EDE_CBC_SHA appears to more widely supported in TLS implementations. In subsequent discussions, it was noted that TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA support is new to some LDAP implementations. I noted that the choice was made many years ago by LDAPEXT WG during the engineering RFC 2830. The IETF had IPR concerns with RSA-based ciphersuites. These concerns appear to evaporated with the expiration of certain patents and time. Please consider whether the text: Implementations supporting TLS MUST support the TLS_DHE_DSS_WITH_3DES_EBE_CBC_SHA ciphersuite. should be replaced with: Implementations supporting TLS MUST support the TLS_RSA_WITH_3DES_EDE_CBC_SHA ciphersuite and SHOULD support the TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA ciphersuite. Support for the latter ciphersuite is recommended to encourage interoperability with implementations conforming to earlier LDAP StartTLS specifications. or otherwise modified (if so, please state how). Please comment as soon as possible. It is hoped that direction can be given to the Editor later this week. Kurt, LDAPbis co-chair |