In carrying out the agreement to change all TLS references with SSL3
references, we are making the following changes to that section.
Please send any comments by noon tomorrow if there is any objection.
Thanks,
Carl-Uno and Tom
The existing section 8.6 (8.5 in June draft) is:
8.5 IPP Security Application Profile for TLS
The IPP application profile for TLS follows the standard "Mandatory Cipher
Suites" requirement as documented in the TLS specification [TLS]. Client
implementations MUST NOT assume any other cipher suites are supported by an
IPP Printer object.
If a conforming IPP object supports TLS, it MUST implement and support the
"Mandatory Cipher Suites" as specified in the TLS specification and MAY
support additional cipher suites.
A conforming IPP client SHOULD support TLS including the "Mandatory Cipher
Suites" as specified in the TLS specification. A conforming IPP client MAY
support additional cipher suites.
It is possible that due to certain government export restrictions some
non-compliant versions of this extension could be deployed. Implementations
wishing to inter-operate with such non-compliant versions MAY offer the
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA mechanism. However, since 40 bit
ciphers are known to be vulnerable to attack by current technology, any
client which actives a 40 bit cipher MUST NOT indicate to the user that the
connection is completely secure from eavesdropping.
The new section replacing references to TLS with SSL3 is:
8.6 IPP Security Application Profile for SSL3
The IPP application profile for SSL3 follows the "Secure Socket Layer"
requirement as documented in the SSL3 specification [SSL]. For
interoperability, the SSL3 cipher suites are:
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
SSL_RSA_WITH_NULL_MD5
Client implementations MUST NOT assume any other cipher suites are supported
by an IPP Printer object.
If a conforming IPP object supports SSL3, it MUST implement and support the
cipher suites listed above and MAY support additional cipher suites.
A conforming IPP client SHOULD support SSL3 including the cipher suites
listed above. A conforming IPP client MAY support additional cipher suites.
It is possible that due to certain government export restrictions some
non-compliant versions of this extension could be deployed. Implementations
wishing to inter-operate with such non-compliant versions MAY offer the
SSL_RSA_EXPORT_WITH_RC4_40_MD5 and SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
mechanisms. However, since 40 bit ciphers are known to be vulnerable to
attack by current technology, any client which actives a 40 bit cipher MUST
NOT indicate to the user that the connection is completely secure from
eavesdropping.