Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard

Bodo Moeller <bmoeller@acm.org> Thu, 12 February 2015 22:52 UTC

Return-Path: <SRS0=blZG=C6=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28BB91A026A for <ietf@ietfa.amsl.com>; Thu, 12 Feb 2015 14:52:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.938
X-Spam-Level:
X-Spam-Status: No, score=-0.938 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id txD2gHB7e1Zl for <ietf@ietfa.amsl.com>; Thu, 12 Feb 2015 14:52:37 -0800 (PST)
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.13]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFE9D1A00B1 for <ietf@ietf.org>; Thu, 12 Feb 2015 14:52:36 -0800 (PST)
Received: from mail-lb0-f177.google.com ([209.85.217.177]) by mrelayeu.kundenserver.de (mreue101) with ESMTPSA (Nemesis) id 0MAdid-1YSs6k4C0R-00BxDs for <ietf@ietf.org>; Thu, 12 Feb 2015 23:52:34 +0100
Received: by mail-lb0-f177.google.com with SMTP id z11so12319053lbi.8 for <ietf@ietf.org>; Thu, 12 Feb 2015 14:52:33 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.112.26.110 with SMTP id k14mr5250272lbg.29.1423781553378; Thu, 12 Feb 2015 14:52:33 -0800 (PST)
Received: by 10.25.25.194 with HTTP; Thu, 12 Feb 2015 14:52:33 -0800 (PST)
In-Reply-To: <20150109180539.22231.7270.idtracker@ietfa.amsl.com>
References: <20150109180539.22231.7270.idtracker@ietfa.amsl.com>
Date: Thu, 12 Feb 2015 23:52:33 +0100
Message-ID: <CADMpkcKp3wVL0MV27QmA81s1Ve=r4PCPTfBZ0qfuVHj5ax_PWQ@mail.gmail.com>
Subject: Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard
From: Bodo Moeller <bmoeller@acm.org>
To: IETF <ietf@ietf.org>
Content-Type: multipart/alternative; boundary=001a1133ad5cba1aa8050eebf941
X-Provags-ID: V03:K0:G6Ofm5+menPMPb61ahTLw06jIzmjj88BZdKmmiih2HaYBt+Yq8c J+5twKepUTl++Y+HIlC7zSTfrJWSl0xfkhiiCphqraQLGk67FpLyKeGb9t+5okHh2BnhHcO iwtDA4TgJgo0kqQhmnHpkZY+6aKTi5kv+Rg0hf+5bdOc1V07/pgdpshb9/RTu9ZWqO0wfaj 6Ue7HAlWxBPbMQmoIlQng==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/jscQJIiVmT6cnzX207Tz4V_Ddlo>
X-Mailman-Approved-At: Fri, 13 Feb 2015 08:54:16 -0800
Cc: Adam Langley <agl@google.com>, Paul Hoffman <paul.hoffman@vpnc.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Feb 2015 22:58:13 -0000

>
>
> The IESG has received a request from the Transport Layer Security WG
> (tls) to consider the following document:
> - 'TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing
>    Protocol Downgrade Attacks'
>   <draft-ietf-tls-downgrade-scsv-03.txt> as Proposed Standard
>
> The IESG plans to make a decision in the next few weeks, and solicits
> final comments on this action. Please send substantive comments to the
> ietf@ietf.org mailing lists by 2015-01-23. Exceptionally, comments may be
> sent to iesg@ietf.org instead. In either case, please retain the
> beginning of the Subject line to allow automated sorting.
>

I have now posted draft-ietf-tls-downgrade-scsv-04, which has editorial
changes only, all in response to the various Last Call reviews:

- Abstract: appended "Server update considerations are included." [OPS-Dir
review]

- Introduction: changed "particularly critical if they mean losing the TLS
extension feature (when downgrading to SSL 3.0)" into "particularly harmful
when the result is loss of the TLS extension feature by downgrading to SSL
3.0" [Gen-ART review]

- Introduction: added "a" with the following result: "... is not a suitable
substitute ..." [SecDir review & Gen-ART review]

- Introduction: added "the" with the following result: "... if the TLS
implementations also include support ..." [SecDir review]

- IANA considerations: changed URLs to
http://www.iana.org/assignments/tls-parameters. [IANA review]

Bodo