Re: [TLS] Working Group Last Call fordraft-ietf-tls-ssl2-must-not-02
Martin Rex <mrex@sap.com> Tue, 02 November 2010 22:54 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 30E9F3A6A34 for <tls@core3.amsl.com>; Tue, 2 Nov 2010 15:54:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.149
X-Spam-Level:
X-Spam-Status: No, score=-10.149 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id teZADeo1ye3G for <tls@core3.amsl.com>; Tue, 2 Nov 2010 15:54:45 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by core3.amsl.com (Postfix) with ESMTP id C82AF3A69C1 for <tls@ietf.org>; Tue, 2 Nov 2010 15:54:44 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id oA2MsGoH022229 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 2 Nov 2010 23:54:16 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201011022254.oA2MsEgY025058@fs4113.wdf.sap.corp>
To: ietfc@btconnect.com
Date: Tue, 02 Nov 2010 23:54:14 +0100
In-Reply-To: <03bf01cb7751$116cf240$4001a8c0@gateway.2wire.net> from "t.petch" at Oct 29, 10 12:01:10 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal07
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Working Group Last Call fordraft-ietf-tls-ssl2-must-not-02
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Nov 2010 22:54:48 -0000
t.petch wrote: > > In the same vein as 1), I would like this to update RFC4347; there is a > presumption that updates to TLS should specify their applicability to DTLS and > it would be a shame if SSL continued to be used with DTLS. I'm confused. AFAIK there is no DTLS version of SSLv2 (and even none for SSLv3, I assume), so this particular update does not apply to DTLS. -Martin > ----- Original Message ----- > From: "Martin Rex" <mrex@sap.com> > To: "Joe Salowey" <jsalowey@cisco.com> > Cc: <tls@ietf.org> > Sent: Monday, October 25, 2010 9:52 PM > Subject: Re: [TLS] Working Group Last Call fordraft-ietf-tls-ssl2-must-not-02 > > > > Joe Salowey wrote: > > > > > > This is an announcement of WGLC for draft-ietf-tls-ssl2-must-not-02. The > draft and its revisions can be found here: > > > > > > http://tools.ietf.org/html/draft-ietf-tls-ssl2-must-not-02 > > > > > > Please send comments to the TLS list by November 17, 2010. > > > > This WGLC is about publication of the document, I assume. > > > > In principle I'm OK with publication. > > > > Re-reading it, I'd like to make two observations: > > > > 1. Per document header: > > Updates: 5246 (once approved) > > this document intends to update rfc-5246 _only_. The text in > > Sections 1 and 3 does not limit itself to implementations of TLSv1.2, > > and I would support to similarily discourage the use of SSLv2 for > > existing implementations of TLSv1.0 and TLSv1.1. > > > > How about listing TLSv1.0 (rfc2246) and TLSv1.1 (rfc4346) > > as well in the Updates: of the document header, > > just like RFC5746 (TLS extension RI) does. > > > > > > 2. SSLv2 deficiencies: "Sessions can be easily terminated" > > > > o Sessions can be easily terminated. A man-in-the-middle can easily > > insert a TCP FIN to close the session and the peer is unable to > > determine whether or not it was a legitimate end of the session. > > > > I think this exaggerates the usefulness of the closy_notify(0) > > warning level alert as used in practice. By using an application > > level framing protocol to mark boundaries of data, it is fairly > > easy for application callers to compensate for this "lack" of SSLv2. > > Many applications that use a framing protocol look only at their > > own framing rather than waiting for the close_notify alert exchange > > to _complete_. > > > > > > -Martin > > _______________________________________________ > > TLS mailing list > > TLS@ietf.org > > https://www.ietf.org/mailman/listinfo/tls > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Working Group Last Call for draft-ietf-tls-… Joe Salowey
- Re: [TLS] Working Group Last Call for draft-ietf-… Simon Josefsson
- Re: [TLS] Working Group Last Call for draft-ietf-… Nikos Mavrogiannopoulos
- Re: [TLS] Working Group Last Call for draft-ietf-… Yoav Nir
- Re: [TLS] Working Group Last Call for draft-ietf-… Michael D'Errico
- Re: [TLS] Working Group Last Call for draft-ietf-… Paul Hoffman
- Re: [TLS] Working Group Last Call for draft-ietf-… Martin Rex
- Re: [TLS] Working Group Last Call for Martin Rex
- Re: [TLS] Working Group Last Call for Marsh Ray
- Re: [TLS] Working Group Last Call fordraft-ietf-t… t.petch
- Re: [TLS] Working Group Last Call fordraft-ietf-t… Martin Rex
- Re: [TLS] Working Group Last Call fordraft-ietf-t… t.petch