Re: [TLS] Last Call: draft-ietf-tls-renegotiation (Transport Layer Security (TLS) Renegotiation Indication Extension) to Proposed Standard
Marsh Ray <marsh@extendedsubset.com> Mon, 30 November 2009 16:32 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E59083A6A9F for <tls@core3.amsl.com>; Mon, 30 Nov 2009 08:32:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.836
X-Spam-Level:
X-Spam-Status: No, score=-1.836 tagged_above=-999 required=5 tests=[AWL=-0.529, BAYES_00=-2.599, MISSING_HEADERS=1.292]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hYu-V8LCAEOD for <tls@core3.amsl.com>; Mon, 30 Nov 2009 08:32:24 -0800 (PST)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id 7AE9B3A692F for <tls@ietf.org>; Mon, 30 Nov 2009 08:31:55 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1NF9AC-000A8Z-1T; Mon, 30 Nov 2009 16:31:48 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 910F8603C; Mon, 30 Nov 2009 16:31:46 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX19d/MBorSBi4t9XUR18SkFYJELnCwbgepU=
Message-ID: <4B13F367.6040307@extendedsubset.com>
Date: Mon, 30 Nov 2009 10:31:35 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
References: <20091130153734.D44C63A6AA9@core3.amsl.com>
In-Reply-To: <20091130153734.D44C63A6AA9@core3.amsl.com>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Cc: Eric Rescorla <ekr@rtfm.com>, tls@ietf.org
Subject: Re: [TLS] Last Call: draft-ietf-tls-renegotiation (Transport Layer Security (TLS) Renegotiation Indication Extension) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Nov 2009 16:32:26 -0000
A few little suggestions, mostly wording. The IESG wrote: > The IESG has received a request from the Transport Layer Security WG > (tls) to consider the following document: > > - 'Transport Layer Security (TLS) Renegotiation Indication Extension ' > <draft-ietf-tls-renegotiation-01.txt> as a Proposed Standard http://tools.ietf.org/html/draft-ietf-tls-renegotiation-01 [Page 3] > renegotiation handshakes to the enclosing TLS channel, thus allowing > the server to differentiate renegotiation from initial negotiation, > as well as preventing renegotiations from being spliced in between > connections. "spliced in between sessions." [Page 5] > o For ClientHellos which are renegotiating, this field contains the "the renegotiated_connection field contains" [Page 6] > Both the SSLv3 and TLS 1.0/TLS1.1 specifications require > implementations to ignore data following the ClientHello (i.e., > extensions) if they do not understand it. However, some SSLv3 and > TLS 1.0 implementations incorrectly fail the handshake in such case. > This means that clients which offer "renegotiation_info" may find > handshake failures. In order to enhance compatibility with such > servers, this document defines a second signalling mechanism via a > special TLS cipher suite "TLS_RENEGO_PROTECTION_REQUEST", with code > point 0xNN, 0xMM. This cipher suite has exactly the same semantics > as an empty "renegotiation_info" extension. Because servers > ordinarily ignore unknown cipher suites, this cipher suite can be > added safely on any initial handshake, including SSLv2 backward > compatibility handshakes. > > Servers MUST treat receipt of TLS_RENEGO_PROTECTION_REQUEST exactly > as if the client had sent an empty "renegotiation_info" extension and > respond with their own "renegotiation_info" extension. This is an > explicit exception to the RFC 5246 Section 7.4.1.4 prohibition on the > server sending unsolicited extensions and is only allowed because the > client is signaling its willingness to receive the extension via the > the TLS_RENEGO_PROTECTION_REQUEST cipher suite. TLS implementations > MUST continue to comply with 7.4.1.4 for all other extensions. > Servers MUST NOT select this cipher suite in any handshake, as it > does not correspond to any valid set of algorithms. > > Because this cipher suite is equivalent to an empty > "renegotiation_info" extension, only renegotiation_info" may be used > rehandshakes. > > Note that a minimal client which does not support renegotiation at > all can simply use this cipher suite in all initial handshakes. Any > compliant server will reject any (apparent) attempt at renegotiation > by such a client. Clients which do support renegotiation MUST > implement Section 3 as well. I suggest we replace all uses of "cipher suite" in this section with the term "cipher suite value", and we add explicit wording "The TLS_RENEGO_PROTECTION_REQUEST cipher suite value is just a flag, it does not actually a refer to a set of cryptographic algorithms that could ever be used for data transmission." This might seem obvious to all of us, but this wording change could conceivably speed review and fend off questions by some review board. > TLS clients which support this draft MUST generate either the > > "renegotiation_info" extension or the TLS_RENEGO_PROTECTION_REQUEST > cipher suite with every ClientHello. Can they generate both? If not, what does the server do if he receives both? > Existing implementations which do not support this extension are > widely deployed and in general must interoperate with newer > implementations which do support it. This section describes s/must/need to/ to avoid confusion with MUST. > If a client offers the "renegotiation_info" extension or the > TLS_RENEGO_PROTECTION_REQUEST cipher suite and the server does not > reply with "renegotiation_info" in the ServerHello, then this > indicates that the server either does not support secure > renegotiation or is unwilling to use it. Is it allowed for a patched server to be "unwilling"? If not, drop the "or is unwilling to use it" lest it give the impression that such behavior is condoned. > If the client does not offer the "renegotiation_info" extension or > the TLS_RENEGO_PROTECTION_REQUEST cipher suite then this indicates > that the client does not support secure renegotiation or is unwilling > to use it. However, because the above attack looks like two Again, is it allowed for a client to be conformant to this spec and still not send either the extension or magic cipher suite value? - Marsh
- [TLS] Last Call: draft-ietf-tls-renegotiation (Tr… The IESG
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Robert Dugal
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Rob P Williams
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Kyle Hamilton
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Bodo Moeller
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Nasko Oskov
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… David-Sarah Hopwood
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Glen Zorn
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Yoav Nir
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Stephen Farrell
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Joseph Salowey (jsalowey)
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Stefan Santesson
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Robert Relyea
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Chris Newman
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… peter.robinson
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… David-Sarah Hopwood
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Yoav Nir
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Pasi.Eronen
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Chris Newman
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Chris Newman
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Nasko Oskov
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Cullen Jennings
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Eric Rescorla
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Michael D'Errico
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Eric Rescorla
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Eric Rescorla
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Nelson B Bolyard
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… David-Sarah Hopwood
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… David-Sarah Hopwood
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Nelson B Bolyard
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Nelson B Bolyard
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Nelson B Bolyard
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation David-Sarah Hopwood
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Eric Rescorla
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Nelson B Bolyard
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Stefan Santesson
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Eric Rescorla
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… David-Sarah Hopwood
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Michael Gray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation David-Sarah Hopwood
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… David-Sarah Hopwood
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation Chris Newman
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Michael Gray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation Nelson B Bolyard
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Wan-Teh Chang
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Michael D'Errico
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Badra
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Stefan Santesson
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- [TLS] Defining "TLS channel" (Re: Last Call: draf… Nicolas Williams
- [TLS] TLS Renegotiate: empty extension and TLS_RE… peter.robinson
- Re: [TLS] TLS Renegotiate: empty extension and TL… Eric Rescorla
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Peter Sylvester
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Nelson B Bolyard
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation David-Sarah Hopwood
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation David-Sarah Hopwood
- [TLS] Overzealous RFC-2119-ification (was Last Ca… David-Sarah Hopwood
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation David-Sarah Hopwood
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation David-Sarah Hopwood
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation Michael D'Errico
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation David-Sarah Hopwood
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation Michael D'Errico
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation Michael D'Errico
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Michael Gray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… David-Sarah Hopwood
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Nelson B Bolyard
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Florian Weimer
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Yoav Nir
- Re: [TLS] Defining "TLS channel" (Re: Last Call: … Pasi.Eronen
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Paul Hoffman
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Steve Checkoway
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Steve Dispensa
- Re: [TLS] Defining "TLS channel" (Re: Last Call: … Nicolas Williams
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Glen Zorn
- Re: [TLS] Defining "TLS channel" David-Sarah Hopwood
- Re: [TLS] Defining "TLS channel" David-Sarah Hopwood
- Re: [TLS] Defining "TLS channel" Nicolas Williams
- Re: [TLS] Defining "TLS channel" Nicolas Williams
- Re: [TLS] Defining "TLS channel" David-Sarah Hopwood
- Re: [TLS] Defining "TLS channel" Nicolas Williams
- Re: [TLS] Defining "TLS channel" David-Sarah Hopwood
- Re: [TLS] Defining "TLS channel" David-Sarah Hopwood
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Pasi.Eronen
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Defining "TLS channel" tom.petch
- Re: [TLS] Defining "TLS channel" Martin Rex