Re: [TLS] SCSV vs RI when both specified. Was: Updated draft

Martin Rex <> Fri, 18 December 2009 19:46 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D89933A69D3 for <>; Fri, 18 Dec 2009 11:46:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.197
X-Spam-Status: No, score=-6.197 tagged_above=-999 required=5 tests=[AWL=0.052, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id F9gL+P1f7iB2 for <>; Fri, 18 Dec 2009 11:46:06 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id C5B603A68FA for <>; Fri, 18 Dec 2009 11:46:05 -0800 (PST)
Received: from by (26) with ESMTP id nBIJjn6i005606 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <>; Fri, 18 Dec 2009 20:45:49 +0100 (MET)
From: Martin Rex <>
Message-Id: <>
Orig-To: (Marsh Ray)
Date: Fri, 18 Dec 2009 20:44:21 +0100
In-Reply-To: <> from "Marsh Ray" at Dec 18, 9 01:31:13 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal08
X-SAP: out
Subject: Re: [TLS] SCSV vs RI when both specified. Was: Updated draft
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 18 Dec 2009 19:46:06 -0000

Marsh Ray wrote:
> Martin Rex wrote:
> > Marsh Ray wrote:
> >> Currently, the SCSV achieves its primary objective with a very simple
> >> definition. It has "exactly the same semantics as an empty
> >> 'renegotiation_info' extension".
> > 
> > How about
> > 
> > TLS_RENEGO_PROTECTION_REQUEST is a request from the client to the
> > server to perform a secure handshake and confirm this by sending
> > TLS extension RI in ServerHello.
> But what does that mean? What is "a secure handshake" if you're not
> sending the RI extension? To the extent that this document is describing
> how to perform a secure handshake, that definition is circular.

"A secure handshake" is one where client and server will check
whether the contents of the TLS renegotiation RI match the
verify_data from the Finished messages from the enclosing TLS session
and TLS peers should abort the handshake if the conveyed information
does not match.  The presence of an empty TLS extension RI in ClientHello
is obviated by presence of SCSV in this ClientHello handshake message.

Do not try to describe scenarios.  That is completely unecessary,
very confusing and you may easily get the description of one of
the cases wrong and cause confusion among implementors.

The implementer's feedback was:
In order to implement this MUST NOT I have to add two extra conditionals
to the code, and I have to build test cases to check whether that doesn't
break anything and whether I am compliant -- but in reality these
two conditionals are completely useless, they do not add any value
to the protocol and neither to the security.