Re: [TLS] Consensus Call for draft-ietf-tls-renegotiation-00.txt
Geoffrey Keating <geoffk@apple.com> Sun, 29 November 2009 03:27 UTC
Return-Path: <geoffk@apple.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6D4B23A6925 for <tls@core3.amsl.com>; Sat, 28 Nov 2009 19:27:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jOkgQMJMAkpN for <tls@core3.amsl.com>; Sat, 28 Nov 2009 19:27:20 -0800 (PST)
Received: from mail-out4.apple.com (mail-out4.apple.com [17.254.13.23]) by core3.amsl.com (Postfix) with ESMTP id B96C43A6825 for <tls@ietf.org>; Sat, 28 Nov 2009 19:27:20 -0800 (PST)
Received: from relay15.apple.com (relay15.apple.com [17.128.113.54]) by mail-out4.apple.com (Postfix) with ESMTP id CD0DD80E2B20 for <tls@ietf.org>; Sat, 28 Nov 2009 19:27:13 -0800 (PST)
X-AuditID: 11807136-b7bafae000000e8d-cb-4b11ea11837f
Received: from [17.151.122.21] (Unknown_Domain [17.151.122.21]) (using TLS with cipher AES128-SHA (AES128-SHA/128 bits)) (Client did not present a certificate) by relay15.apple.com (Apple SCV relay) with SMTP id EC.0F.03725.11AE11B4; Sat, 28 Nov 2009 19:27:13 -0800 (PST)
From: Geoffrey Keating <geoffk@apple.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Sat, 28 Nov 2009 19:27:13 -0800
Message-Id: <59FE2EFB-F8EC-489D-AFCE-3D3C29291ADF@apple.com>
To: tls@ietf.org
Mime-Version: 1.0 (Apple Message framework v1077)
X-Mailer: Apple Mail (2.1077)
X-Brightmail-Tracker: AAAAAQAAAZE=
X-Mailman-Approved-At: Sat, 28 Nov 2009 19:42:15 -0800
Subject: Re: [TLS] Consensus Call for draft-ietf-tls-renegotiation-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Nov 2009 03:32:59 -0000
Apple supports this draft, with the following modification: The draft does not address the security issue for existing clients unless it requires that renegotiation occur only when the extension is present. I suggest strengthening the language in 4.2 to read To prevent such attacks, servers MUST NOT allow clients who do not offer the "renegotiation_info" extension to complete a renegotiation. If the client initiated the renegotiation the server SHOULD respond to such requests with a "no_renegotiation" alert [RFC 5246 requires this alert to be at the "warning" level.] If the server initiated the renegotiation the fatal "handshake_failure" alert is appropriate. and delete the sentence 'Servers SHOULD follow this behaviour'. With this modification, section 4.1.1 is redundant and may be deleted. It is also possible to delete section 4.3 as with this modification, if the client is convinced to drop the extension, either servers support the draft and will refuse to renegotiate without the extension and are still secure, or don't support the draft and will ignore the extension, and so would be insecure anyway.
- [TLS] Consensus Call for draft-ietf-tls-renegotia… Joseph Salowey (jsalowey)
- Re: [TLS] Consensus Call for draft-ietf-tls-reneg… Nicolas Williams
- Re: [TLS] Consensus Call for draft-ietf-tls-reneg… Martin Rex
- Re: [TLS] Consensus Call for draft-ietf-tls-reneg… Robert Relyea
- Re: [TLS] Consensus Call for draft-ietf-tls-reneg… Stefan Santesson
- [TLS] Another critical problem with RI Michael D'Errico
- Re: [TLS] Another critical problem with RI Michael D'Errico
- Re: [TLS] Consensus Call for draft-ietf-tls-reneg… Robert Dugal
- Re: [TLS] Consensus Call for draft-ietf-tls-reneg… Wan-Teh Chang
- Re: [TLS] Another critical problem with RI Martin Rex
- Re: [TLS] Consensus Call for draft-ietf-tls-reneg… Martin Rex
- Re: [TLS] Consensus Call for draft-ietf-tls-reneg… Nasko Oskov
- Re: [TLS] Consensus Call for draft-ietf-tls-reneg… David-Sarah Hopwood
- Re: [TLS] Consensus Call for draft-ietf-tls-reneg… Martin Rex
- Re: [TLS] Consensus Call for draft-ietf-tls-reneg… Michael D'Errico
- Re: [TLS] Consensus Call for draft-ietf-tls-reneg… Stephen Farrell
- Re: [TLS] Consensus Call for draft-ietf-tls-reneg… Florian Weimer
- Re: [TLS] Proposed change to draft-ietf-tls-reneg… Michael D'Errico
- Re: [TLS] Consensus Call for draft-ietf-tls-reneg… Dr Stephen Henson
- Re: [TLS] Consensus Call for draft-ietf-tls-reneg… Ben Laurie
- Re: [TLS] Another critical problem with RI Stefan Santesson
- Re: [TLS] Consensus Call for draft-ietf-tls-reneg… Yoav Nir
- Re: [TLS] Consensus Call for draft-ietf-tls-reneg… Nelson B Bolyard
- Re: [TLS] Consensus Call for draft-ietf-tls-reneg… peter.robinson
- Re: [TLS] Consensus Call for draft-ietf-tls-reneg… Peter Gutmann
- Re: [TLS] Consensus Call for draft-ietf-tls-reneg… Simon Josefsson
- Re: [TLS] Consensus Call for draft-ietf-tls-reneg… Yngve Nysaeter Pettersen
- Re: [TLS] Consensus Call for draft-ietf-tls-reneg… Pasi.Eronen
- Re: [TLS] Proposed change to draft-ietf-tls-reneg… Pasi.Eronen
- Re: [TLS] Consensus Call for draft-ietf-tls-reneg… Stephen Farrell
- Re: [TLS] Proposed change to draft-ietf-tls-reneg… Michael D'Errico
- Re: [TLS] Proposed change to draft-ietf-tls-reneg… Martin Rex
- Re: [TLS] Proposed change to draft-ietf-tls-reneg… Stefan Santesson
- Re: [TLS] Consensus Call for draft-ietf-tls-reneg… Stefan Santesson
- Re: [TLS] Proposed change to draft-ietf-tls-reneg… Martin Rex
- Re: [TLS] Consensus Call for draft-ietf-tls-reneg… Peter Gutmann
- Re: [TLS] Proposed change to draft-ietf-tls-reneg… David-Sarah Hopwood
- Re: [TLS] Proposed change to draft-ietf-tls-reneg… Martin Rex
- Re: [TLS] Consensus Call for draft-ietf-tls-reneg… Nikos Mavrogiannopoulos
- Re: [TLS] Consensus Call for draft-ietf-tls-reneg… Bodo Moeller
- Re: [TLS] Consensus Call for draft-ietf-tls-reneg… Geoffrey Keating
- Re: [TLS] Consensus Call for draft-ietf-tls-reneg… Stefan Santesson
- Re: [TLS] Consensus Call for draft-ietf-tls-reneg… Ben Laurie
- Re: [TLS] Consensus Call for draft-ietf-tls-reneg… Geoffrey Keating