Re: [TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time]

Jeffrey Walton <noloader@gmail.com> Mon, 06 June 2016 19:32 UTC

Return-Path: <noloader@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A401512D5CF for <tls@ietfa.amsl.com>; Mon, 6 Jun 2016 12:32:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, BIGNUM_EMAILS=0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9TajhVckeu6P for <tls@ietfa.amsl.com>; Mon, 6 Jun 2016 12:32:39 -0700 (PDT)
Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9AA712D550 for <tls@ietf.org>; Mon, 6 Jun 2016 12:32:39 -0700 (PDT)
Received: by mail-io0-x233.google.com with SMTP id o189so137677677ioe.2 for <tls@ietf.org>; Mon, 06 Jun 2016 12:32:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to:cc; bh=/n2OlCDoX1+q0UrDzL6u9pbtXwqIwJFQWTyIDbdLJqI=; b=yNHxUIOyrqXJLKwJ+g4DTp8YK6SVc/u2Yx5a2vAjzxkpLstXCWpI00wUr/htya099v Bin9xd/3bMBYBIZj/llLHUR7ykzJcpalXuDys8XpG1aEpJeWHMfzfW0O+9AHdb44fJFB jHFtNXjHdvh0/FFydOLWRn0DlxpO64j2oJUSqVOEZrdov4dmmjQQEm9xpIyv17z57sqv pMSBu28X9SZZGTiBcO8LoavKmO3J5XhcILMJ0zVslggtiY71ZJ9w4+nRi26yNX50Z5gJ kwGHO+m8ogsukRwUP+8hs2GTDByWkaouoIsdZYXYwepLHwtkrXhpCF92ZjH7fRcroTnJ UycA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to:cc; bh=/n2OlCDoX1+q0UrDzL6u9pbtXwqIwJFQWTyIDbdLJqI=; b=cSSUePz60ruyp90CRre9NTQnA0PaEq2xALM65i5Ib+nztM8E7W09ShpFtrogCumvq1 rcZ2ytMCM4FUps5wNc7aWTjZRbEGUi6udCAiax3R2L3cSM9Cu5NUpJsfASLM6j2EX4s1 WRncMyL10jgEzk9ufi+3bOexbcWjMITXtgaVaG+mdkZ1kIPWvjHE6tuN535kinGUYqnf mlC2nBrdwa2Zb93HzzeTLzz+SY9XowJmvQgk71q5w4M2OIWVavZ3TDRkdyyqv7C9INno lQHQTr3e6lBSTVX5Vab9V3R3wpvXMYXFnXRRezVholE6ySUs2IC/gRWurI7BK3ecXxbc 0m7Q==
X-Gm-Message-State: ALyK8tK/+GcK/TAZLJhHEXc+sFiXEp4EObYPEA9wtOGKSp0em9vk4fWvNKz0pT4HM/RWIGi9/2hZSiYFZLggow==
X-Received: by 10.107.179.136 with SMTP id c130mr24126133iof.130.1465241558893; Mon, 06 Jun 2016 12:32:38 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.129.1 with HTTP; Mon, 6 Jun 2016 12:32:38 -0700 (PDT)
In-Reply-To: <r470Ps-10115i-C575378C0ADA4162BA5E7152C5185A23@Williams-MacBook-Pro.local>
References: <1706151.1Qo9uxO9Hr@pintsize.usersys.redhat.com> <r470Ps-10115i-C575378C0ADA4162BA5E7152C5185A23@Williams-MacBook-Pro.local>
From: Jeffrey Walton <noloader@gmail.com>
Date: Mon, 6 Jun 2016 15:32:38 -0400
Message-ID: <CAH8yC8=raj5iUTUWaxtEy7LQCzzADVXSxid-n69MhT5Q2GdfvA@mail.gmail.com>
To: Bill Frantz <frantz@pwpconsult.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/9KOGt7XkoIuN2_wFLMOwMgZfiGQ>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: noloader@gmail.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jun 2016 19:32:42 -0000

>> That being said, I would prefer the solution to be a compliance test suite
>> that checks if servers do handle correctly future versions, future
>> extensions and future ciphersuites correctly.
>
> I agree with Hubert. The big question is how you get the bug report to the
> server operator.
>
> With servers which are currently maintained, it should be possible, although
> difficult in specific instances to contact the owner. With servers which
> aren't being maintained, e.g. those in imbedded devices, the problem becomes
> much harder.

There are two ways. First, use the Administrative and Technical
contacts in the WHOIS database. They are ICANN contractual
requirements, and they must be valid. Second, RFC 2142, MAILBOX NAMES
FOR COMMON SERVICES, ROLES AND FUNCTIONS.

Jeff