Previous Table of Contents Next


24.4.2 Transport Mechanism Configuration


   The configuration of transport-layer security mechanisms is specified in IORs. Support for CSI is indicated within an IOR profile by the presence of at most one TAG_CSI_SEC_MECH_LIST tagged component that defines the mechanism configuration pertaining to the profile. This component contains a list of one or more CompoundSecMech structures, each of which defines the layer-specific security mechanisms that comprise a compound mechanism that is supported by the target. This specification does not define support for CSI mechanisms in multiple-component IOR profiles.

   Each CompoundSecMech structure contains a transport_mech field that defines the transport-layer security mechanism of the compound mechanism. A compound mechanism that does not implement security functionality at the transport layer shall contain the TAG_NULL_TAG component in its transport_mech field. Otherwise, the transport_mech field shall contain a tagged component that defines a transport protocol and its configuration. Section 24.5.1.3, “TAG_TLS_SEC_TRANS,? on page 24-35 and Section 24.5.1.4, “TAG_SECIOP_SEC_TRANS,? on page 24-37 define valid transport-layer components that can be used in the transport_mech field.

   24.4.2.1 Recommended SSL/TLS Ciphersuites

   This specification recommends that implementations support the following ciphersuites in addition to the mandatory ciphersuites identified in [IETF RFC 2246]. Of these additional ciphersuites, those which use weak encryption keys are only recommended for use in environments where strong encryption of SAS protocol elements (including GSSUP authenticators) and request arguments is not required. Some of the recommended ciphersuites are known to be encumbered by licensing constraints.