Re: [TLS] tls 1.3: renegotiation
Robert Ransom <rransom.8774@gmail.com> Fri, 25 July 2014 19:27 UTC
Return-Path: <rransom.8774@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BAC31A03CA for <tls@ietfa.amsl.com>; Fri, 25 Jul 2014 12:27:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oFOCck2SohJ2 for <tls@ietfa.amsl.com>; Fri, 25 Jul 2014 12:27:41 -0700 (PDT)
Received: from mail-qa0-x22c.google.com (mail-qa0-x22c.google.com [IPv6:2607:f8b0:400d:c00::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AE1F1A0195 for <tls@ietf.org>; Fri, 25 Jul 2014 12:27:41 -0700 (PDT)
Received: by mail-qa0-f44.google.com with SMTP id f12so5050479qad.17 for <tls@ietf.org>; Fri, 25 Jul 2014 12:27:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=UwD6R2z/iqIIalrbHy/6q5O/bEJOWaVZg8pPrnZxBsc=; b=f4MR1NXayeqXmvEqxWGW+pzqnd05xUfAqPLxVXqsRYwZ/rb0htsXJO0+mEmAEKClhe XqYXVCiGIbS+PTrg8hTZodyWnwiyOdUAiRpfVvUR/AHq2PCexUKP1HOiAnSxUBEWvK7W YfEa57JmVBz/lusNktg4qz8NAhAyesCBGF0X7c/zYtpmcTpYh1skd1niMIRhGsszmgo9 YXpEX2MgzeOpRdaRX5x/SY9BTBIrwdQP01wbs8Hx0y9nZvvhQF+H7P8UPXuhW6/NTZ5V xLr3x1H0W4WSpXP8NBwwxieqJt9iuD+iM3G0gdLRSHEkeSf24DdJrsbZ9E5uS+GwMJmJ g65g==
MIME-Version: 1.0
X-Received: by 10.140.43.245 with SMTP id e108mr30048802qga.76.1406316460817; Fri, 25 Jul 2014 12:27:40 -0700 (PDT)
Received: by 10.140.98.233 with HTTP; Fri, 25 Jul 2014 12:27:40 -0700 (PDT)
In-Reply-To: <7C3D5CF9-2B17-4953-A13D-C5E7226D13E7@ieca.com>
References: <7C3D5CF9-2B17-4953-A13D-C5E7226D13E7@ieca.com>
Date: Fri, 25 Jul 2014 12:27:40 -0700
Message-ID: <CABqy+so=yV9Gp8aCp3cJ8wQRmd6JC-J9raEzgw1c1UDdFT2=JQ@mail.gmail.com>
From: Robert Ransom <rransom.8774@gmail.com>
To: Sean Turner <TurnerS@ieca.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/9avb0iMQlXXavH6enm1ni7X-0uo
Cc: "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>
Subject: Re: [TLS] tls 1.3: renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jul 2014 19:27:42 -0000
On 7/21/14, Sean Turner <TurnerS@ieca.com> wrote: > At the TLS interim meeting held on Sunday July 20th, 2014, there was > consensus to remove renegotiation on the assumption we will provide a > rekeying facility of some form and client initated client authentication. > This message serves to confirm that consensus. Please indicate by July > 25th, 2014 whether you disagree with this (and why). I oppose removal of renegotiation, for the following reasons: * Renegotiation is a single feature which serves many purposes. I believe that fixing the design, APIs, and implementations of renegotiation will be easier than designing the protocols, designing the APIs, and implementing every feature which would be needed to replace it. * The client-initiated client authentication feature will require a ‘channel binding’ to the existing TLS connection, which -- as Nico Williams has pointed out -- is sufficient to work around renegotiation-based attacks at the protocol level, by binding the application data sent before renegotiation to the authentication performed during the renegotiation handshake. Adding a channel binding to renegotiation would not require as many changes to existing code as adding an entirely new client authentication feature would, and would provide less room for new implementation bugs to creep in. * Renegotiation can share most of its code with the implementation of the initial connection handshake, even after a channel binding is added to it. Each of the new features added in order to replace renegotiation is likely to share considerably less code with the initial handshake, and their implementations are likely to receive considerably less use and less testing than any piece of code used in implementing renegotiation. In addition, I believe that it is not possible for the WG to make an informed decision as to whether renegotiation should be removed at this time: * The rekeying feature and client-initiated client authentication feature have not been specified yet, even to the point of stating the requirements which each feature will meet. It is not possible for the WG to determine whether the features intended to replace these two uses of renegotiation will be fit for their intended purposes at this time. Robert Ransom
- [TLS] tls 1.3: renegotiation Sean Turner
- Re: [TLS] tls 1.3: renegotiation Robert Ransom
- Re: [TLS] tls 1.3: renegotiation Martin Thomson
- Re: [TLS] tls 1.3: renegotiation Andrei Popov
- Re: [TLS] tls 1.3: renegotiation Martin Thomson
- Re: [TLS] tls 1.3: renegotiation Robert Ransom
- Re: [TLS] tls 1.3: renegotiation Andrei Popov
- Re: [TLS] tls 1.3: renegotiation Martin Thomson
- Re: [TLS] tls 1.3: renegotiation Martin Thomson
- Re: [TLS] tls 1.3: renegotiation Nikos Mavrogiannopoulos