Re: [TLS] Deprecating SSLv3
Nico Williams <nico@cryptonector.com> Mon, 24 November 2014 21:31 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB8971AC39C for <tls@ietfa.amsl.com>; Mon, 24 Nov 2014 13:31:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Level:
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CohE3gc2O7Ez for <tls@ietfa.amsl.com>; Mon, 24 Nov 2014 13:31:06 -0800 (PST)
Received: from homiemail-a74.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 909381AC3BC for <tls@ietf.org>; Mon, 24 Nov 2014 13:30:55 -0800 (PST)
Received: from homiemail-a74.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a74.g.dreamhost.com (Postfix) with ESMTP id 5749D67C06E; Mon, 24 Nov 2014 13:30:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=j0fih5VNx6Ha3q 22S8JvWobzJDY=; b=CeVqjyp2isNCMNyv22v0toaGu8srAYdofpW4I4IlDrlcIp o5eJPGozEd/k5ktlyuwgX43hjBZ4B9sXTClx8CrMWXarhaPnFKeDs236H2HIRc29 cSAj1jn7bM37iHmI7+rJiGdGvund5VYYsr/oLXEfvKZmU+WBga4USINtMripw=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a74.g.dreamhost.com (Postfix) with ESMTPA id 04E1367C06D; Mon, 24 Nov 2014 13:30:54 -0800 (PST)
Date: Mon, 24 Nov 2014 15:30:54 -0600
From: Nico Williams <nico@cryptonector.com>
To: Watson Ladd <watsonbladd@gmail.com>
Message-ID: <20141124213052.GR3200@localhost>
References: <1572947.5ky0fL2FGE@pintsize.usersys.redhat.com> <20141124182953.9C8251B004@ld9781.wdf.sap.corp> <CACsn0ck6t6DKbxcRga-TFQEj5ADe7zw3pKu9z33L2hS2B6LzyQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CACsn0ck6t6DKbxcRga-TFQEj5ADe7zw3pKu9z33L2hS2B6LzyQ@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/6SdQbHiBOYub_25KKZUhaobPxG0
Cc: tls@ietf.org
Subject: Re: [TLS] Deprecating SSLv3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Nov 2014 21:31:08 -0000
On Mon, Nov 24, 2014 at 12:57:01PM -0800, Watson Ladd wrote: > On Nov 24, 2014 10:30 AM, "Martin Rex" <mrex@sap.com> wrote: > [...]? Even if you noticed the attack, and it isn't from the > government, what deterrence is there? [...] And/or what mitigation... Bearer tokens are currently, and for the forseeable future, a fact of life. An annoying fact of life, maybe, but one that we must accept. Surely that can't be controversial. TLS 1.3 simply must be resistant to adaptive chosen plaintext attacks intended for recovery of frequently repeated secrets (bearer tokens). To be fair to Martin R., I suspect he's not objecting to this, so much as to the use of bearer tokens in the first place, much as I'm objecting to blaming TLS's past failures on the Internet threat model while... not being against updating the Internet threat model. That we can't fix the bearer token problem from where we stand doesn't mean that Martin can't complain about it... Nico --
- [TLS] Deprecating SSLv3 Martin Thomson
- Re: [TLS] Deprecating SSLv3 Matt Caswell
- Re: [TLS] Deprecating SSLv3 Martin Thomson
- Re: [TLS] Deprecating SSLv3 Manuel Pégourié-Gonnard
- Re: [TLS] Deprecating SSLv3 Martin Thomson
- Re: [TLS] Deprecating SSLv3 Stephen Checkoway
- Re: [TLS] Deprecating SSLv3 Nikos Mavrogiannopoulos
- Re: [TLS] Deprecating SSLv3 Alfredo Pironti
- Re: [TLS] Deprecating SSLv3 Nikos Mavrogiannopoulos
- Re: [TLS] Deprecating SSLv3 Ronald del Rosario
- Re: [TLS] Deprecating SSLv3 Alfredo Pironti
- Re: [TLS] Deprecating SSLv3 Martin Thomson
- Re: [TLS] Deprecating SSLv3 Nikos Mavrogiannopoulos
- Re: [TLS] Deprecating SSLv3 Kurt Roeckx
- Re: [TLS] Deprecating SSLv3 Salz, Rich
- Re: [TLS] Deprecating SSLv3 Nikos Mavrogiannopoulos
- Re: [TLS] Deprecating SSLv3 Hubert Kario
- Re: [TLS] Deprecating SSLv3 Martin Rex
- Re: [TLS] Deprecating SSLv3 Hubert Kario
- Re: [TLS] Deprecating SSLv3 Martin Rex
- Re: [TLS] Deprecating SSLv3 Kurt Roeckx
- Re: [TLS] Deprecating SSLv3 Hubert Kario
- Re: [TLS] Deprecating SSLv3 Martin Rex
- Re: [TLS] Deprecating SSLv3 Hubert Kario
- Re: [TLS] Deprecating SSLv3 Manuel Pégourié-Gonnard
- Re: [TLS] Deprecating SSLv3 Watson Ladd
- Re: [TLS] Deprecating SSLv3 Nico Williams
- Re: [TLS] Deprecating SSLv3 Yoav Nir
- Re: [TLS] Deprecating SSLv3 Bill Frantz
- Re: [TLS] Deprecating SSLv3 Nico Williams
- Re: [TLS] Deprecating SSLv3 Henrick Hellström
- Re: [TLS] Deprecating SSLv3 Yuhong Bao
- Re: [TLS] Deprecating SSLv3 Hubert Kario
- Re: [TLS] Deprecating SSLv3 Martin Rex