Re: [TLS] Proposed text for removing renegotiation

Yoav Nir <ynir.ietf@gmail.com> Thu, 12 June 2014 17:45 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A4461A0201 for <tls@ietfa.amsl.com>; Thu, 12 Jun 2014 10:45:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GDD6ws4Ie0Ez for <tls@ietfa.amsl.com>; Thu, 12 Jun 2014 10:45:33 -0700 (PDT)
Received: from mail-we0-x231.google.com (mail-we0-x231.google.com [IPv6:2a00:1450:400c:c03::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CE0F1A01AB for <tls@ietf.org>; Thu, 12 Jun 2014 10:45:33 -0700 (PDT)
Received: by mail-we0-f177.google.com with SMTP id u56so1655277wes.22 for <tls@ietf.org>; Thu, 12 Jun 2014 10:45:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=kVXHJXn0RIMpmg2vNAOkKvE9mGpaC0HFk2Of47l1jc0=; b=ot0z+ujS6F+cEkZRy+hUoF3JqKF49O5HhHv+IdqqZLwwKJ//IhZWhpdcB7M5t/5aEl hUdGS0aiUJOYFiOPcrSlJDcqA12BQFUxD4waUCXuXW2cAfV4ckKkddqhUMo3qEPGijO6 RjNNKbWNsqpIL0Eh8NBrhySich2+lZjyQz8s4AFS7/x+HaViOlSEKGFxN8Xys9H8SDhW 7XIM6W0QXkXlOr+kInntamAn8SzgSK83E64h8H6LhbEN+D4yNk6p538111iZ6fkDgF2z ILqcH376kv46w4or3qGLP/9RERk8RJAT8SblEjPHtrBPGRub3KkUMyGGFS3xMsEJVUSH eElg==
X-Received: by 10.180.126.97 with SMTP id mx1mr8384096wib.29.1402595131421; Thu, 12 Jun 2014 10:45:31 -0700 (PDT)
Received: from [192.168.1.103] (bzq-84-109-50-18.red.bezeqint.net. [84.109.50.18]) by mx.google.com with ESMTPSA id cj41sm6049667eeb.34.2014.06.12.10.45.29 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 12 Jun 2014 10:45:30 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_2F58E8FC-07EA-432B-80EF-87B5EAE50E0D"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <CABcZeBNqU5WdDfdGF391ntCDHThWOg8ZQ0CxKPj5yiV--cY-+w@mail.gmail.com>
Date: Thu, 12 Jun 2014 20:45:27 +0300
Message-Id: <39BABE88-00B9-4656-885E-41FCD1AD3861@gmail.com>
References: <CAFewVt65X1V6=A_HP_pcg=6nXNVFLxQmSsPB2rq1KvmGPRz+og@mail.gmail.com> <20140606223045.3B5AF1AD46@ld9781.wdf.sap.corp> <CACsn0cmcc6kXvOuqkZaDj7+QPdpY9qqQ58bs3s-JBGXdNJSZyw@mail.gmail.com> <CABcZeBPe45BM-uXd7DEBD_BBn=jhk8KkYB=facp+NMb2e4nBiw@mail.gmail.com> <1402299260.2427.2.camel@dhcp-2-127.brq.redhat.com> <CABkgnnX5+fXNDy1o7Pu60rp8vSx7XfKbt337e_q=+3fb8fXHJw@mail.gmail.com> <1402388399.2369.5.camel@dhcp-2-127.brq.redhat.com> <CACsn0cm5OzzjOh5nSXcu-cx+ZYFeJiJ5eGvgwjsWPUeX4ozz2g@mail.gmail.com> <1402476304.2305.8.camel@dhcp-2-127.brq.redhat.com> <CACsn0cmM4KpMgwXo0iTygsQ+En6N3J46jPY-Q3hfwzqG431M1w@mail.gmail.com> <5B1D7E570380A64989D4C069F7D14BC8CB7F66D6@PINTO.missi.ncsc.mil> <CACsn0ckoNvNQye09ekHPNtEMdhU58QzbWJiufTwGfkjBynKqxA@mail.gmail.com> <859F43324A6FEC448BFEA30C90405FA90550E0@SEAEMBX02.olympus.F5Net.com> <CABcZeBNqU5WdDfdGF391ntCDHThWOg8ZQ0CxKPj5yiV--cY-+w@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
X-Mailer: Apple Mail (2.1878.2)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/6tlUav0G6aX0thQMvC6XjXGR9zE
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Proposed text for removing renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jun 2014 17:45:35 -0000

On Jun 12, 2014, at 7:35 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> Of those hosts:
> * The selected interval values range from 3 seconds (!!!) to 86400 - with an average being around 3600 seconds.
> * Lots of 10-second renegotiation intervals as well.
> * Seems to be a slight preference to the Financial vertical.
> 
> I'm not suggesting that this data moves the conversation about renegotiation one way or the other.
> 
> Do you have any idea why they want this?

Maybe the Bruce said something about needing to regularly replace keys in “Applied Cryptography”.

The financial market also suggests some security consultant recommending setting the values.

3600 is actually a pretty fine value, as you would for the most part never see a renegotiation. Of course, configuring this by traffic volume would be even better.

Yoav