Re: [TLS] draft-rescorla-tls-renegotiate.txt
Nicolas Williams <Nicolas.Williams@sun.com> Sat, 07 November 2009 00:10 UTC
Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7800B28C0D6 for <tls@core3.amsl.com>; Fri, 6 Nov 2009 16:10:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.015
X-Spam-Level:
X-Spam-Status: No, score=-6.015 tagged_above=-999 required=5 tests=[AWL=0.031, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ub2z5Dr0vsnj for <tls@core3.amsl.com>; Fri, 6 Nov 2009 16:10:48 -0800 (PST)
Received: from brmea-mail-1.sun.com (brmea-mail-1.Sun.COM [192.18.98.31]) by core3.amsl.com (Postfix) with ESMTP id 21C5628B797 for <tls@ietf.org>; Fri, 6 Nov 2009 16:10:48 -0800 (PST)
Received: from dm-central-02.central.sun.com ([129.147.62.5]) by brmea-mail-1.sun.com (8.13.6+Sun/8.12.9) with ESMTP id nA70BAv3028047 for <tls@ietf.org>; Sat, 7 Nov 2009 00:11:11 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id nA70BA9j000246 for <tls@ietf.org>; Fri, 6 Nov 2009 17:11:10 -0700 (MST)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id nA6NxdsC010506; Fri, 6 Nov 2009 17:59:39 -0600 (CST)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id nA6Nxcia010505; Fri, 6 Nov 2009 17:59:38 -0600 (CST)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Fri, 06 Nov 2009 17:59:38 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Martin Rex <mrex@sap.com>
Message-ID: <20091106235938.GO1105@Sun.COM>
References: <B197003731D4874CA41DE7B446BBA3E829CA5315@TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com> <200911062353.nA6NrkWu014870@fs4113.wdf.sap.corp>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <200911062353.nA6NrkWu014870@fs4113.wdf.sap.corp>
User-Agent: Mutt/1.5.7i
Cc: Nasko Oskov <noskov@microsoft.com>, tls@ietf.org
Subject: Re: [TLS] draft-rescorla-tls-renegotiate.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Nov 2009 00:10:49 -0000
On Sat, Nov 07, 2009 at 12:53:46AM +0100, Martin Rex wrote: > Nicolas Williams wrote: > > Stop using SSLv3. Its end has arrived. > > I was actually looking for an answer from engineering, > not for one from sales. :-| :/ Right, the real choice is: stop using re-negotiation without the fix and/or stop using TLS without the fix (which means stop using SSLv3). The first choice leaves clients without the fix vulnerable when they talk to servers that don't have the fix and do accept re-negotiation. That's pretty bad (surely many servers won't get the short-term fix). The second choice renders a large portion of the installed base non-interoperable. That's... much worse. I don't know how addicted we are to re-negotiation and SSLv3, so I can't tell you which choice should win in the short-term, but then, I think turning off re-negotiation may well prove easier than we may have thought (see my reply to Marsh just now). In the longer term though, we should deploy the fix and SSLv3 clients should go away. Nico --
- Re: [TLS] draft-rescorla-tls-renegotiate.txt Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate.txt Nicolas Williams
- Re: [TLS] draft-rescorla-tls-renegotiate.txt Nelson B Bolyard
- Re: [TLS] draft-rescorla-tls-renegotiate.txt Martin Rex
- [TLS] Register port for https+client cert (was Re… Chris Newman