Re: [TLS] Fixing TLS

Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 13 January 2016 12:32 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BA161A6F99 for <tls@ietfa.amsl.com>; Wed, 13 Jan 2016 04:32:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NPSXQuAi-afM for <tls@ietfa.amsl.com>; Wed, 13 Jan 2016 04:32:08 -0800 (PST)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAF071ACD9F for <tls@ietf.org>; Wed, 13 Jan 2016 04:32:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1452688329; x=1484224329; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=HKM1pZV0o1cxs1AOD2/5Vt6txRPm1czZwdiTj40uuEk=; b=S7gkbHWpNkboKskpbqac/GX56QJ4hfOocuFJXahKNMmLz7z76HUn4M/K n/QS3QgCkpwF+mK+9w682lXKMNeP0PzEd36reHQJJcfTOqkN76uFlWvSF 8pzQJ267iRCRPYHb413Y4p+Bu2VbGY/y1MPmwqW/uZAHyqDzA+5wl48sD kqMT1dSLCKWkpfuKrFGtEpisVpqpEvvK8dgb0Ewj+dsKAaQPqshUCfR3K Fik8ccD6lTc4dxgtNct/dfX+WYgJuYrnELTQrwnnNjdyqEQI62UCbRJdn eBPj+N9R70CGkIMIBSFuYhID5hK0U11IKXqKqU8A6DtuC8y5SUK52us8/ A==;
X-IronPort-AV: E=Sophos;i="5.22,288,1449486000"; d="scan'208";a="62935061"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.112 - Outgoing - Outgoing
Received: from uxchange10-fe1.uoa.auckland.ac.nz ([130.216.4.112]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 14 Jan 2016 01:32:06 +1300
Received: from UXCN10-5.UoA.auckland.ac.nz ([169.254.5.153]) by uxchange10-fe1.UoA.auckland.ac.nz ([130.216.4.112]) with mapi id 14.03.0266.001; Thu, 14 Jan 2016 01:32:05 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Hubert Kario <hkario@redhat.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Fixing TLS
Thread-Index: AdFNQhHrFy3mVBx6TGiPN32I/iztzf//Ww+AgAFZaKb//zG9AIAArXmAgADjpcM=
Date: Wed, 13 Jan 2016 12:32:05 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73F4BC7853@uxcn10-5.UoA.auckland.ac.nz>
References: <9A043F3CF02CD34C8E74AC1594475C73F4BC6849@uxcn10-5.UoA.auckland.ac.nz> <9A043F3CF02CD34C8E74AC1594475C73F4BC727B@uxcn10-5.UoA.auckland.ac.nz> <CACsn0ckao2wyptscLq1feQUWyPkkHm6mmarF=7roWv8vGAZkxA@mail.gmail.com>, <1697088.4ma2uCFsM4@pintsize.usersys.redhat.com>
In-Reply-To: <1697088.4ma2uCFsM4@pintsize.usersys.redhat.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/2lvJgVuzAL5Hd6UKJY8h5fCGDk8>
Subject: Re: [TLS] Fixing TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jan 2016 12:32:13 -0000

Hubert Kario <hkario@redhat.com>; writes:

>So lets not repeat those mistakes

Exactly, there are more than enough new ones for 2.0-called-1.3 to make that
we don't (necessarily) have to repeat existing ones (although I'm sure we will
in some cases).

And that's exactly my point, we're throwing away 20 years of refining TLS 1.x
and more or less starting again with 2.0-called-1.3, with a whole new set of
mistakes to make.  I really don't want to spend the next 20 years patching all
the holes that will be found in 2.0-called-1.3, I've already had enough of
that for the 1.x version.

TLS needs an LTS version that you can just push out and leave to its own
devices, for the same reason that other products also have LTS versions, that
lots of people have better things to do with their life than playing bugfix
whack-a-mole for the duration of it.

Peter.