Re: [TLS] tls 1.3: renegotiation

Robert Ransom <> Fri, 25 July 2014 19:27 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 8BAC31A03CA for <>; Fri, 25 Jul 2014 12:27:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oFOCck2SohJ2 for <>; Fri, 25 Jul 2014 12:27:41 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c00::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9AE1F1A0195 for <>; Fri, 25 Jul 2014 12:27:41 -0700 (PDT)
Received: by with SMTP id f12so5050479qad.17 for <>; Fri, 25 Jul 2014 12:27:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=UwD6R2z/iqIIalrbHy/6q5O/bEJOWaVZg8pPrnZxBsc=; b=f4MR1NXayeqXmvEqxWGW+pzqnd05xUfAqPLxVXqsRYwZ/rb0htsXJO0+mEmAEKClhe XqYXVCiGIbS+PTrg8hTZodyWnwiyOdUAiRpfVvUR/AHq2PCexUKP1HOiAnSxUBEWvK7W YfEa57JmVBz/lusNktg4qz8NAhAyesCBGF0X7c/zYtpmcTpYh1skd1niMIRhGsszmgo9 YXpEX2MgzeOpRdaRX5x/SY9BTBIrwdQP01wbs8Hx0y9nZvvhQF+H7P8UPXuhW6/NTZ5V xLr3x1H0W4WSpXP8NBwwxieqJt9iuD+iM3G0gdLRSHEkeSf24DdJrsbZ9E5uS+GwMJmJ g65g==
MIME-Version: 1.0
X-Received: by with SMTP id e108mr30048802qga.76.1406316460817; Fri, 25 Jul 2014 12:27:40 -0700 (PDT)
Received: by with HTTP; Fri, 25 Jul 2014 12:27:40 -0700 (PDT)
In-Reply-To: <>
References: <>
Date: Fri, 25 Jul 2014 12:27:40 -0700
Message-ID: <>
From: Robert Ransom <>
To: Sean Turner <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: " \(\)" <>
Subject: Re: [TLS] tls 1.3: renegotiation
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 25 Jul 2014 19:27:42 -0000

On 7/21/14, Sean Turner <> wrote:
> At the TLS interim meeting held on Sunday July 20th, 2014, there was
> consensus to remove renegotiation on the assumption we will provide a
> rekeying facility of some form and client initated client authentication.
> This message serves to confirm that consensus.  Please indicate by July
> 25th, 2014 whether you disagree with this (and why).

I oppose removal of renegotiation, for the following reasons:

* Renegotiation is a single feature which serves many purposes.  I
  believe that fixing the design, APIs, and implementations of
  renegotiation will be easier than designing the protocols, designing
  the APIs, and implementing every feature which would be needed to
  replace it.

* The client-initiated client authentication feature will require a
  ‘channel binding’ to the existing TLS connection, which -- as Nico
  Williams has pointed out -- is sufficient to work around
  renegotiation-based attacks at the protocol level, by binding the
  application data sent before renegotiation to the authentication
  performed during the renegotiation handshake.  Adding a channel
  binding to renegotiation would not require as many changes to
  existing code as adding an entirely new client authentication
  feature would, and would provide less room for new implementation
  bugs to creep in.

* Renegotiation can share most of its code with the implementation of
  the initial connection handshake, even after a channel binding is
  added to it.  Each of the new features added in order to replace
  renegotiation is likely to share considerably less code with the
  initial handshake, and their implementations are likely to receive
  considerably less use and less testing than any piece of code used
  in implementing renegotiation.

In addition, I believe that it is not possible for the WG to make an
informed decision as to whether renegotiation should be removed at
this time:

* The rekeying feature and client-initiated client authentication
  feature have not been specified yet, even to the point of stating
  the requirements which each feature will meet.  It is not possible
  for the WG to determine whether the features intended to replace
  these two uses of renegotiation will be fit for their intended
  purposes at this time.

Robert Ransom