Re: [TLS] Obsolete SCSV!? (was Re: AD review of draft-ietf-tls-oldversions-deprecate-06)
Eric Rescorla <ekr@rtfm.com> Wed, 23 September 2020 13:07 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42DA33A1145 for <tls@ietfa.amsl.com>; Wed, 23 Sep 2020 06:07:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.795
X-Spam-Level:
X-Spam-Status: No, score=-1.795 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, PLING_QUERY=0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JUGOGvMtpWzK for <tls@ietfa.amsl.com>; Wed, 23 Sep 2020 06:07:07 -0700 (PDT)
Received: from mail-lj1-x244.google.com (mail-lj1-x244.google.com [IPv6:2a00:1450:4864:20::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A2AC3A1141 for <tls@ietf.org>; Wed, 23 Sep 2020 06:07:07 -0700 (PDT)
Received: by mail-lj1-x244.google.com with SMTP id w3so17168713ljo.5 for <tls@ietf.org>; Wed, 23 Sep 2020 06:07:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Zm7VRCj0KZY4H60SntXymEL4V883i7HxVlN5wgwzbto=; b=BKqQfB18jY77YWmexkuyeSThnK8cXOMFZnY0d1HiauxgoL35rQbzT37p1NZ1hvJ2vA /E+8sSZ8GgPHyWCldDhqqZFm/EX3b8Kzu46/qY63ISH9Ez90J6jxx0BAZR3ulqT5Wo3b qzWY7h+gy8OWgVi/XUPQ4Q78JsoTVWGPr6GPmtW+15HzdLLsM9j4nOph2ofPTf3Hjd6n ODhX8ie6HGkp5s+d28uBh1flpdFQa/2QkHJlbAm3NzU2oaI2sYiPeKcQwzsUo2RFl85k g6AHstze4km36aHSPdb2a9Ge00ajr0jjcow0QnguKD6xEnJErjJFYhVvtJNTBxGBmdxF UK7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Zm7VRCj0KZY4H60SntXymEL4V883i7HxVlN5wgwzbto=; b=BBLLv5AGJUnY1N/HEF9/jEWxW36vfWE1XrEFpcqw6XMCE26/14vWAOlii1/fkj2thU G787XZKgI4pSIgiYcbSg2dll2hN6yEpUFXt6t3c82Gb64WysDAWHhjAvXFw4DdyXHEjy cshKaNEMJRbGO6Wru7RzjbZUm/1sp2Rp4izfSLZbaSkjhvSY6btiE5t2ZdpKJH1QyMnU k0noacNY0zbZFjNW8XyJ2QZa6VS587UYV0wwV+p9geqXiolZQS4/oUS4PIlsW8JMswmB a5YHDpNQrr1gs5/DOdHMlwB5rvGo+9r8OE5xt3VW4FnsROFk7lcRc3XznHBqYxAJSMr+ 7/aw==
X-Gm-Message-State: AOAM532wDYKCE6awPa3v7QV9s3ijgSBz0b6gg09+9tAEEOOwp4zLVNg6 wbpryeX60IDtYGimb2wshf6KwBHr42mi4bWCSojBvg==
X-Google-Smtp-Source: ABdhPJxOBJvVMxabNwQfG81FvTGraXvdfF2LeVuP8Pnpw9KdX6COSA5jV8MDp0ksQOnWmO+1wJt9ijKyql/XErFK5Fw=
X-Received: by 2002:a2e:804f:: with SMTP id p15mr3323184ljg.199.1600866425252; Wed, 23 Sep 2020 06:07:05 -0700 (PDT)
MIME-Version: 1.0
References: <20200726212223.GY41010@kduck.mit.edu> <CAHbuEH6YV5HyqEV7DbO=_-9yFEHTS3Q7nH_t=ap_xwzGK=vMWw@mail.gmail.com> <20200813175413.GY92412@kduck.mit.edu> <47A50677-E2CB-44F4-8683-2B99EA97875D@sn3rd.com>
In-Reply-To: <47A50677-E2CB-44F4-8683-2B99EA97875D@sn3rd.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 23 Sep 2020 06:06:29 -0700
Message-ID: <CABcZeBMsgTLdB-XKMyjHZdbS0B_2mVLniEwZEBfhFrm_-9MMiA@mail.gmail.com>
To: Sean Turner <sean@sn3rd.com>
Cc: TLS List <tls@ietf.org>, draft-ietf-tls-oldversions-deprecate.all@ietf.org
Content-Type: multipart/alternative; boundary="0000000000009c414f05affac261"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/7VWCY7kNf7T7XfpyXobLRycIDb8>
Subject: Re: [TLS] Obsolete SCSV!? (was Re: AD review of draft-ietf-tls-oldversions-deprecate-06)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2020 13:07:09 -0000
I am completely indifferent on Updates versus Obsoletes (Indeed, this discussion seems like more support for my argument that we should get rid of the distinction). With that said, I believe that this analysis is broadly correct. To recap the situation as I understand it: TLS always provided anti-version downgrade defenses because the Finished message covers the version negotiation [0]. However, the version fallback mechanism involved generating a new handshake without the (potentially) incompatible version, thus was not subject to the Finished check. The SCSV was an anti-downgrade mechanism (essentially a version signal) which could be sent in the new handshake, thus being subject to the Finished check. TLS 1.3 provides an alternate mechanism for the case where the server speaks TLS 1.3 but the client/server pair negotiate < 1.3. Thus, in the world where the only valid values of TLS are 1.2 and 1.3+, then this mechanism should render the SCSV unnecessary. -Ekr On Wed, Sep 23, 2020 at 5:43 AM Sean Turner <sean@sn3rd.com> wrote: > Hi! this issue was buried in the Ben’s review, but I think it is worth > getting some attention on. > > > On Aug 13, 2020, at 13:54, Benjamin Kaduk <kaduk@mit.edu> wrote: > > > > On Wed, Aug 12, 2020 at 04:29:56PM -0400, Kathleen Moriarty wrote: > >> > >> On Sun, Jul 26, 2020 at 5:22 PM Benjamin Kaduk <kaduk@mit.edu> wrote: > >>> > >>> - Similarly, the downgrade protection provided by the SCSV of RFC 7507 > >>> seems to be entirely obsolete. Any implementation that is compliant > >>> with this document will support only 1.2 or higher. If it only > >>> supports one version, no downgrade is possible; if it also supports > >>> 1.3 or newer, the new downgrade-detection mechanism defined by TLS 1.3 > >>> applies, so the SCSV mechanism is entirely redundant (i.e., obsolete). > >>> We could effectuate that status change in this document as well. > >>> > >> > >> Has this been addressed in RFC8446? If not, the specific downgrade > >> examples are just listed as examples. If a gap is left, then the full > >> document should not be deprecated and made obsolete. The text infers > other > >> versions in my read. I have not looked to see if this was addressed in > >> RFC8446 yet though. > > > > I'd really like to get a few more people to weigh in on this one -- IIRC > > David Benjamin and Martin Thomson had mentioned some thoughts in the chat > > during the session at 108, and Ekr as author of 8446 would be expected to > > have a good sense of what it does. > > > > The specific RFC 8446 mechanism here is described at > > https://tools.ietf.org/html/rfc8446#section-4.1.3 : "TLS 1.3 has a > > downgrade protection mechanism embedded in the server's random value. > > [...]" > > > > While the RFC 8446 mechanism has the client do the actual detection of > > downgrade, there's a MUST-level requirement on clients to make the check, > > so from a specification point of view the check can be treated as > reliable. > > The RFC 7507 mechanism has the server do the detection, but I think the > end > > result is still the same: in an "downgraded" exchange between two honest > > participants, the handshake fails and the downgrade is detected. > > > > Since the functionality is still useful, just superseded, this one seems > > like a better fit for "obsoletes" (vs. "historic). > > > > Right now, we have a list of RFCs draft-ietf-tls-oldversions-deprecate > will update. RFC 7507 "TLS Fallback Signaling Cipher Suite Value (SCSV) for > Preventing Protocol Downgrade Attacks" ( > https://datatracker.ietf.org/doc/rfc7507/) is in this list. If you agree > with Ben’s logic then we would be move 7507 out of the list of “updates” > and adding an obsoletes header, i.e., “Obsoletes: 7507 (if approved)”, and > moving 7507 down in s1.1 to the obsoletes paragraph. While this might seem > like a minor point, this is the kind of the IESG loves to sink its teeth > into so have a WG opinion on this matter can make overcoming later hurdles > easier for the AD and doc shepherd. > > Thanks for the your time, > > spt (doc shepherd) > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] AD review of draft-ietf-tls-oldversions-dep… Benjamin Kaduk
- Re: [TLS] AD review of draft-ietf-tls-oldversions… Kathleen Moriarty
- Re: [TLS] AD review of draft-ietf-tls-oldversions… Benjamin Kaduk
- [TLS] Obsolete SCSV!? (was Re: AD review of draft… Sean Turner
- Re: [TLS] Obsolete SCSV!? (was Re: AD review of d… Eric Rescorla
- Re: [TLS] Obsolete SCSV!? (was Re: AD review of d… Salz, Rich
- Re: [TLS] Obsolete SCSV!? (was Re: AD review of d… Sean Turner
- Re: [TLS] Obsolete SCSV!? (was Re: AD review of d… Sean Turner
- Re: [TLS] Obsolete SCSV!? (was Re: AD review of d… Loganaden Velvindron
- Re: [TLS] Obsolete SCSV!? (was Re: AD review of d… Loganaden Velvindron
- Re: [TLS] AD review of draft-ietf-tls-oldversions… Sean Turner
- Re: [TLS] AD review of draft-ietf-tls-oldversions… Benjamin Kaduk
- Re: [TLS] AD review of draft-ietf-tls-oldversions… Michael D'Errico
- Re: [TLS] AD review of draft-ietf-tls-oldversions… Benjamin Kaduk
- Re: [TLS] AD review of draft-ietf-tls-oldversions… Michael D'Errico
- Re: [TLS] AD review of draft-ietf-tls-oldversions… Salz, Rich
- Re: [TLS] AD review of draft-ietf-tls-oldversions… Sean Turner
- Re: [TLS] AD review of draft-ietf-tls-oldversions… Benjamin Kaduk