Re: [TLS] Non-extension solutions (requirements)
Bodo Moeller <bmoeller@acm.org> Sun, 15 November 2009 21:48 UTC
Return-Path: <bmoeller@acm.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3DF903A6A0A for <tls@core3.amsl.com>; Sun, 15 Nov 2009 13:48:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.412
X-Spam-Level:
X-Spam-Status: No, score=-101.412 tagged_above=-999 required=5 tests=[AWL=0.837, BAYES_00=-2.599, HELO_EQ_DE=0.35, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qOCxyqbjwYOY for <tls@core3.amsl.com>; Sun, 15 Nov 2009 13:48:34 -0800 (PST)
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by core3.amsl.com (Postfix) with ESMTP id B90893A67F4 for <tls@ietf.org>; Sun, 15 Nov 2009 13:48:33 -0800 (PST)
Received: from [10.1.64.105] (216-239-44-65.google.com [216.239.44.65]) by mrelayeu.kundenserver.de (node=mreu1) with ESMTP (Nemesis) id 0MGmAP-1NND5S0Lmz-00DLQm; Sun, 15 Nov 2009 22:48:32 +0100
From: Bodo Moeller <bmoeller@acm.org>
To: Nelson B Bolyard <nelson@bolyard.me>
In-Reply-To: <4B006D46.6070107@bolyard.me>
References: <4AFF79A4.6020706@extendedsubset.com> <20091115111834.334A869F79B@kilo.networkresonance.com> <4B006D46.6070107@bolyard.me>
Message-Id: <FCF8F926-85D2-4E45-871E-103F23A1B060@acm.org>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Sun, 15 Nov 2009 13:48:28 -0800
X-Mailer: Apple Mail (2.936)
X-Provags-ID: V01U2FsdGVkX1+ZBhIyyiVpiVEIrscjIMwby9Wi/o9O0fFaWr1 2Sct+US9fv+m73gEfP5IBtuYkmg3JuRjH1CwcpSPV15uCOnQDx E+ImNrdYJf7NhEgaiDbzQ==
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Non-extension solutions (requirements)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Nov 2009 21:48:35 -0000
On Nov 15, 2009, at 1:06 PM, Nelson B Bolyard wrote: > On 2009-11-15 03:18 PDT, Eric Rescorla wrote: >> Thus, the minimal change is not to change initial negotiations at >> all but simply to change renegotiations. This is quite possible >> with RI simply by not sending it on the initial negotiation. Of >> course, sending it on renegotiation will cause interoperation >> failure with vulnerable servers, but that's the desired outcome. > Are there clients who really want to remain vulnerable? Um, strawman? The minimal change is helpful for clients that want to remain interoperable with servers that haven't been updated yet, because - some servers wouldn't really have to be updated because they don't support renegotiation in the first place; - atomically updating all clients and servers isn't possible; - the attack is irrelevant for opportunistic-encryption scenarios -- if these clients *accept*, as trade-off, that they'd also continue to be able to engage in insecure connections (when connecting to insecure servers). This doesn't mean that they *want* to be vulnerable. It doesn't even imply that they necessarily *are* vulnerable (this depends on what the higher protocol layers are actually doing with the TLS connections, and what servers they open connections to). Bodo
- Re: [TLS] Non-extension solutions (requirements) Martin Rex
- [TLS] Non-extension solutions (requirements) Marsh Ray
- Re: [TLS] Non-extension solutions (requirements) Eric Rescorla
- Re: [TLS] Non-extension solutions (requirements) Eric Rescorla
- Re: [TLS] Non-extension solutions (requirements) Nelson B Bolyard
- Re: [TLS] Non-extension solutions (requirements) Marsh Ray
- Re: [TLS] Non-extension solutions (requirements) Nelson B Bolyard
- Re: [TLS] Non-extension solutions (requirements) Bodo Moeller
- Re: [TLS] Non-extension solutions (requirements) Bodo Moeller
- Re: [TLS] Non-extension solutions (requirements) Martin Rex
- Re: [TLS] Non-extension solutions (requirements) Marsh Ray
- Re: [TLS] Non-extension solutions (requirements) Bodo Moeller
- Re: [TLS] Non-extension solutions (requirements) Martin Rex
- Re: [TLS] Non-extension solutions (requirements) Marsh Ray
- Re: [TLS] Non-extension solutions (requirements) Bodo Moeller
- Re: [TLS] Non-extension solutions (requirements) Eric Rescorla
- Re: [TLS] Non-extension solutions (requirements) Eric Rescorla
- Re: [TLS] Non-extension solutions (requirements) Eric Rescorla
- Re: [TLS] Non-extension solutions (requirements) Marsh Ray
- Re: [TLS] Non-extension solutions (requirements) Eric Rescorla
- Re: [TLS] Non-extension solutions (requirements) Michael D'Errico
- Re: [TLS] Non-extension solutions (requirements) David-Sarah Hopwood
- Re: [TLS] Non-extension solutions (requirements) David-Sarah Hopwood
- Re: [TLS] Non-extension solutions (requirements) Chris Newman
- Re: [TLS] Non-extension solutions (requirements) Simon Josefsson
- Re: [TLS] Non-extension solutions (requirements) David-Sarah Hopwood
- Re: [TLS] Non-extension solutions (requirements) Simon Josefsson
- Re: [TLS] Non-extension solutions (requirements) David-Sarah Hopwood
- Re: [TLS] Non-extension solutions (requirements) Simon Josefsson
- Re: [TLS] Non-extension solutions (requirements) Rob P Williams