MIME-Version: 1.0
In-Reply-To: <201501251833.50963.davemgarrett@gmail.com>
References: <201412300503.03923.davemgarrett@gmail.com>
 <CABcZeBPujH595MjfRDstnaDk5fmQVi4qi+-nUhu5zh3L4CxUgw@mail.gmail.com>
 <201501251833.50963.davemgarrett@gmail.com>
Date: Tue, 27 Jan 2015 08:42:22 -0800
Message-ID: <CAOgPGoDvPm4GxbhBYbuhDOc1D5iYf0VvCLs+ZORu8n82sfrQKg@mail.gmail.com>
From: Joseph Salowey <joe@salowey.net>
To: Dave Garrett <davemgarrett@gmail.com>
Content-Type: multipart/alternative; boundary=001a1133cb786cf476050da4f0b8
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/A9LzFgRHH-j5WuUglUF-JKZsE8c>
Cc: "TLS@ietf.org \(tls@ietf.org\)" <tls@ietf.org>
Subject: Re: [TLS] consensus on backwards compatibility changes
Precedence: list

--001a1133cb786cf476050da4f0b8
Content-Type: text/plain; charset=UTF-8

On Sun, Jan 25, 2015 at 3:33 PM, Dave Garrett <davemgarrett@gmail.com>
wrote:

> On Sunday, January 25, 2015 02:36:14 pm Eric Rescorla wrote:
> > Based on reading the mailing list, it seems to me that there is rough
> > consensus on PR#105, but not (yet?) on PR#107.
>
> I don't recall any objections to #107, but not much discussion either.
>
> To sum it up here, in addition to some editorial changes:
>
> 1) Fixes initial ClientHello record layer version to { 3, 1 } (TLS 1.0) &
> mandates
> all other record layer versions to match negotiated version.
> (Brian's suggestion)
>
>
[Joe] I think this makes sense.  I added to comments to the PR.  I propose
to move the bit about the server accepting versions {3,x} to the same place
and change the wording of the existing test to say:

"The client MUST set the version to {3, 1} for the initial ClientHello."



> In SCSV discussion, evidence was given that this improves interop by 5.3%
> for TLS 1.3 & an additional 1.5% for TLS 1.2:
> http://www.ietf.org/mail-archive/web/tls/current/msg15141.html
>
> 2) Mention some other interop concerns along side existing notes.
>
> 3) Cite RC4 prohibition pending RFC.
>
> 4) "If an implementation negotiates usage of TLS 1.2, then negotiation of
> cipher
> suites also supported by TLS 1.3 SHOULD be preferred, if available."
> (only a SHOULD, and only if available; language up for negotiation if
> needed)
>
> 5) Explicitly prohibit EXPORT ciphers and any others <100 bits.
> (100 bit line is arbitrary; could be 112 if preferred)
>
>
[Joe] draft-ietf-uta-tls-bcp-08 recommends 112 so we probably would match
that.


>
> Dave
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

--001a1133cb786cf476050da4f0b8
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><div class=3D"gmail_quo=
te">On Sun, Jan 25, 2015 at 3:33 PM, Dave Garrett <span dir=3D"ltr">&lt;<a =
href=3D"mailto:davemgarrett@gmail.com" target=3D"_blank">davemgarrett@gmail=
.com</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"ma=
rgin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,=
204);border-left-style:solid;padding-left:1ex"><span>On Sunday, January 25,=
 2015 02:36:14 pm Eric Rescorla wrote:<br>
&gt; Based on reading the mailing list, it seems to me that there is rough<=
br>
&gt; consensus on PR#105, but not (yet?) on PR#107.<br>
<br>
</span>I don&#39;t recall any objections to #107, but not much discussion e=
ither.<br>
<br>
To sum it up here, in addition to some editorial changes:<br>
<br>
1) Fixes initial ClientHello record layer version to { 3, 1 } (TLS 1.0) &am=
p; mandates<br>
all other record layer versions to match negotiated version.<br>
(Brian&#39;s suggestion)<br>
<br></blockquote><div><br></div><div>[Joe] I think this makes sense.=C2=A0 =
I added to comments to the PR.=C2=A0 I propose to move the bit about the se=
rver accepting versions {3,x} to the same place and change the wording of t=
he existing test to say:</div><div><br></div><div><span style=3D"color:rgb(=
51,51,51);font-family:&#39;Helvetica Neue&#39;,Helvetica,&#39;Segoe UI&#39;=
,Arial,freesans,sans-serif;font-size:14px;line-height:22px">&quot;The clien=
t MUST set the version to {3, 1} for the initial ClientHello.&quot;</span><=
br></div><div><br></div><div>=C2=A0</div><blockquote class=3D"gmail_quote" =
style=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:r=
gb(204,204,204);border-left-style:solid;padding-left:1ex">
In SCSV discussion, evidence was given that this improves interop by 5.3%<b=
r>
for TLS 1.3 &amp; an additional 1.5% for TLS 1.2:<br>
<a href=3D"http://www.ietf.org/mail-archive/web/tls/current/msg15141.html" =
target=3D"_blank">http://www.ietf.org/mail-archive/web/tls/current/msg15141=
.html</a><br>
<br>
2) Mention some other interop concerns along side existing notes.<br>
<br>
3) Cite RC4 prohibition pending RFC.<br>
<br>
4) &quot;If an implementation negotiates usage of TLS 1.2, then negotiation=
 of cipher<br>
suites also supported by TLS 1.3 SHOULD be preferred, if available.&quot;<b=
r>
(only a SHOULD, and only if available; language up for negotiation if neede=
d)<br>
<br>
5) Explicitly prohibit EXPORT ciphers and any others &lt;100 bits.<br>
(100 bit line is arbitrary; could be 112 if preferred)<br>
<div><div><br></div></div></blockquote><div><br></div><div>[Joe]=C2=A0draft=
-ietf-uta-tls-bcp-08 recommends 112 so we probably would match that. =C2=A0=
</div><div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0p=
x 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);bo=
rder-left-style:solid;padding-left:1ex"><div><div>
<br>
Dave<br>
<br>
_______________________________________________<br>
TLS mailing list<br>
<a href=3D"mailto:TLS@ietf.org" target=3D"_blank">TLS@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/tls" target=3D"_blank">htt=
ps://www.ietf.org/mailman/listinfo/tls</a><br>
</div></div></blockquote></div><br></div></div>

--001a1133cb786cf476050da4f0b8--