Re: [TLS] Comments/Questions on draft-gutmann-tls-encrypt-then-mac-00.txt

Bodo Moeller <bmoeller@acm.org> Wed, 25 September 2013 19:01 UTC

Return-Path: <SRS0=M8uh=TF=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9D6721E8094 for <tls@ietfa.amsl.com>; Wed, 25 Sep 2013 12:01:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.463
X-Spam-Level:
X-Spam-Status: No, score=-1.463 tagged_above=-999 required=5 tests=[AWL=0.163, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bi+ZSmEsCM38 for <tls@ietfa.amsl.com>; Wed, 25 Sep 2013 12:00:57 -0700 (PDT)
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.9]) by ietfa.amsl.com (Postfix) with ESMTP id 3E76A21E8091 for <tls@ietf.org>; Wed, 25 Sep 2013 12:00:44 -0700 (PDT)
Received: from mail-ob0-f181.google.com (mail-ob0-f181.google.com [209.85.214.181]) by mrelayeu.kundenserver.de (node=mreu2) with ESMTP (Nemesis) id 0MGVFc-1Vc3Tu2G8G-00DWsc; Wed, 25 Sep 2013 21:00:42 +0200
Received: by mail-ob0-f181.google.com with SMTP id gq1so191385obb.26 for <tls@ietf.org>; Wed, 25 Sep 2013 12:00:41 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=DuxGoQisaYbAzAkl0i8JynSZ6bifu+g1Fx0vsYEaP7Q=; b=HJO6BgEUjqV9DtLU+hPwz3aFIUnSWXnrBTd2eEmakJGFkbf9nBtdLho9QspO6bszpW SqvZQ4IPw55ndXMcsRq1CFr8tm2QpbaSb9bDWQ48tfqzB1N9Z4nIXT/y1SU5DJx0KR2m b3inz0fhAVFJP0OtxUfV4AX2OYSijhDO71f80Z4U4FOgc8cyhfXJtIvWZQmzwwLMvfjp ay/6wTX27R9K9QGyOoR27vE1noHjszJ9t5CHwlJBJI4KAk4DwUwTqs41WgHnv4MWAzEX NAlhk7wOe3JAGx8IuJxdvbzJPjK1Abox9+n+OTbvFYiFf1CBtp4lhHwvUstZj7WZm7nO zKmQ==
MIME-Version: 1.0
X-Received: by 10.60.65.227 with SMTP id a3mr31476183oet.13.1380135641349; Wed, 25 Sep 2013 12:00:41 -0700 (PDT)
Received: by 10.60.115.72 with HTTP; Wed, 25 Sep 2013 12:00:41 -0700 (PDT)
In-Reply-To: <524321C1.5080001@gmail.com>
References: <9A043F3CF02CD34C8E74AC1594475C735567D321@uxcn10-6.UoA.auckland.ac.nz> <CADMpkcJtp-+P8CFn_K7uptXtorYom0ALdaUn6xB16JFZSHoBtg@mail.gmail.com> <CAMfhd9U2eBdeO4MuDBW9hcuxzu0sttkifySSHJp9=bm5n3NNEg@mail.gmail.com> <5243119D.4070001@pobox.com> <524321C1.5080001@gmail.com>
Date: Wed, 25 Sep 2013 21:00:41 +0200
Message-ID: <CADMpkcLGRCORoqUTX45hXF5JqqFS-GTW+YzZ7XEKW-5rAFdbGg@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Content-Type: multipart/alternative; boundary=001a11c25700a50c8504e739de53
X-Provags-ID: V02:K0:Rv2yAuB1C7DreZPiXtG10LCbgYs5EpyjiQHaaZ5jeeN FDBF24s86wO/Q94VYlHAin1XAWZjj3TAWO7prCzq3C2Ew0GBW+ a1JGJ4IBK+xTeUaXWhf+L2blS2KEmCck2eqQ3ul/+diU3kCGpS 6RQ/khMqGeR2paqLrQjTgtLUmcddiiDrMPhlDwO7HWfqAKYFYE vWXBt5pjebGpwrq61GgX65pDoEy+dhycWLED5/vlalRRD+eTfi gO7zMPY/KZpBLWDk1+elmfXCGJbrl9BDvfg1K/BUuK/E4AFu+n XJtq2ntzKT7WNUMezAnud5mnskw9lfX7uKyFm/2nBAF/8egXYL sjW91ZxW30f0/XNmfFENZvNx5QMTkgmpbC6hCHddSYtgk11Bf1 ahyBRaAsoOe2eQZ7Nouv6duFyZfVW4YG1eNUC+D681p5U3+nDo QKwXk
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Comments/Questions on draft-gutmann-tls-encrypt-then-mac-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Sep 2013 19:01:05 -0000

> Organizations often enforce weird and misguided policies on their users,
> e.g. forcing them all to use IE6 so that "legacy applications" do not need
> to be upgraded. Mind you, those older browsers only speak older SSL/TLS
> versions and *their* connections will still go through! Employing such
> middleboxes is just another policy of this type. Is it really our business
> to counteract the organization's policy?
>

Certainly, because we don't know if "the organization" that's trying to
downgrade your connection are your local network admins, or a foreign
government agency.  This doesn't mean there couldn't be a knob allowing you
(or your admins) to disable the security check, but the protocol should
have means to detect this kind of problem.