Re: [TLS] consensus on backwards compatibility changes
Dave Garrett <davemgarrett@gmail.com> Sun, 25 January 2015 23:34 UTC
Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 233371A0264 for <tls@ietfa.amsl.com>; Sun, 25 Jan 2015 15:34:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J3Zqj2WW6_BG for <tls@ietfa.amsl.com>; Sun, 25 Jan 2015 15:34:21 -0800 (PST)
Received: from mail-qg0-x231.google.com (mail-qg0-x231.google.com [IPv6:2607:f8b0:400d:c04::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 465981A023E for <tls@ietf.org>; Sun, 25 Jan 2015 15:34:21 -0800 (PST)
Received: by mail-qg0-f49.google.com with SMTP id i50so4806947qgf.8 for <tls@ietf.org>; Sun, 25 Jan 2015 15:34:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=QG8HMWcify1SRmdpTq0M5EowGEHqhxwZu85dX2w4oks=; b=0PFKe66yFyNR7YrEolSvXMdBm1LI2rxbhNSu7hsOdkeKa6G00BlaLXyWkJ2DEi2rMB vd27u66opMFPONFq8X52NeCjf5uZyTwqUtUn/Y9j4SyDFdRRzbEhUVY8dc+AvObN2gtV Kbhg43heg7NeEdJ+k8ohX9ounpJBx/xV4iPBS1l+CViynGLIrS9Mpl7jhsscFAjjQsTa NU5pBMbOt+bTxUyZsNq39gdOQcN0lzQF/vok/PAUvLPJ63NloBryxmeVLeUfyUpETvAF C65jmmseDptqqoGpBZ6w89KOLmLf3PHpUkSfz2WUAiJ66Mj5BOU7ACwSeykib3h/4dUQ sOdA==
X-Received: by 10.140.48.197 with SMTP id o63mr34624029qga.81.1422228860496; Sun, 25 Jan 2015 15:34:20 -0800 (PST)
Received: from dave-laptop.localnet ([96.245.56.59]) by mx.google.com with ESMTPSA id c3sm8335750qan.45.2015.01.25.15.34.19 (version=TLSv1 cipher=RC4-SHA bits=128/128); Sun, 25 Jan 2015 15:34:19 -0800 (PST)
From: Dave Garrett <davemgarrett@gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 25 Jan 2015 18:33:50 -0500
User-Agent: KMail/1.13.5 (Linux/2.6.32-70-generic-pae; KDE/4.4.5; i686; ; )
References: <201412300503.03923.davemgarrett@gmail.com> <CABcZeBPujH595MjfRDstnaDk5fmQVi4qi+-nUhu5zh3L4CxUgw@mail.gmail.com>
In-Reply-To: <CABcZeBPujH595MjfRDstnaDk5fmQVi4qi+-nUhu5zh3L4CxUgw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <201501251833.50963.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Ak37Zc3BNLBuhfXYNUToxAJUwvk>
Cc: "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>
Subject: Re: [TLS] consensus on backwards compatibility changes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Jan 2015 23:34:23 -0000
On Sunday, January 25, 2015 02:36:14 pm Eric Rescorla wrote: > Based on reading the mailing list, it seems to me that there is rough > consensus on PR#105, but not (yet?) on PR#107. I don't recall any objections to #107, but not much discussion either. To sum it up here, in addition to some editorial changes: 1) Fixes initial ClientHello record layer version to { 3, 1 } (TLS 1.0) & mandates all other record layer versions to match negotiated version. (Brian's suggestion) In SCSV discussion, evidence was given that this improves interop by 5.3% for TLS 1.3 & an additional 1.5% for TLS 1.2: http://www.ietf.org/mail-archive/web/tls/current/msg15141.html 2) Mention some other interop concerns along side existing notes. 3) Cite RC4 prohibition pending RFC. 4) "If an implementation negotiates usage of TLS 1.2, then negotiation of cipher suites also supported by TLS 1.3 SHOULD be preferred, if available." (only a SHOULD, and only if available; language up for negotiation if needed) 5) Explicitly prohibit EXPORT ciphers and any others <100 bits. (100 bit line is arbitrary; could be 112 if preferred) Dave
- [TLS] consensus on backwards compatibility changes Dave Garrett
- Re: [TLS] consensus on backwards compatibility ch… Eric Rescorla
- Re: [TLS] consensus on backwards compatibility ch… Kurt Roeckx
- Re: [TLS] consensus on backwards compatibility ch… Dave Garrett
- Re: [TLS] consensus on backwards compatibility ch… Dave Garrett
- Re: [TLS] consensus on backwards compatibility ch… Kurt Roeckx
- Re: [TLS] consensus on backwards compatibility ch… Dave Garrett
- Re: [TLS] consensus on backwards compatibility ch… Kurt Roeckx
- Re: [TLS] consensus on backwards compatibility ch… Joseph Salowey
- Re: [TLS] consensus on backwards compatibility ch… Sean Turner
- Re: [TLS] consensus on backwards compatibility ch… Ira McDonald
- Re: [TLS] consensus on backwards compatibility ch… Martin Rex
- Re: [TLS] consensus on backwards compatibility ch… Martin Rex
- Re: [TLS] consensus on backwards compatibility ch… Joseph Salowey
- Re: [TLS] consensus on backwards compatibility ch… Dave Garrett
- Re: [TLS] consensus on backwards compatibility ch… Florian Weimer
- Re: [TLS] consensus on backwards compatibility ch… Martin Rex
- Re: [TLS] consensus on backwards compatibility ch… Florian Weimer
- Re: [TLS] consensus on backwards compatibility ch… Eric Rescorla
- Re: [TLS] consensus on backwards compatibility ch… Dave Garrett
- Re: [TLS] consensus on backwards compatibility ch… Michael Clark
- Re: [TLS] consensus on backwards compatibility ch… Dave Garrett
- Re: [TLS] consensus on backwards compatibility ch… Nikos Mavrogiannopoulos
- Re: [TLS] consensus on backwards compatibility ch… Dave Garrett
- Re: [TLS] consensus on backwards compatibility ch… Ilari Liusvaara