Re: [TLS] simplistic renego protection

[Eric Rescorla <ekr@networkresonance.com>]

At Mon, 16 Nov 2009 15:05:31 +0100 (MET),
Martin Rex wrote:
> Eric Rescorla wrote:
> > > Think about the lines of code for a client:
> > 
> > I don't agree with your analysis of code complexity, but even if
> > you were correct the implementation effort is in any case so
> > minimal compared to the size of the deployment problem
> > that it strikes me as largely irrelevant. Moreover, we already
> > have implementations of RI, so the marginal implementation
> > effort is even lower compared to doing something new.
> 
> You're going to waste network bandwith eternally in a completely
> useless fashion.

This strikes me as a fairly unconvincing objection. The average TLS
handshake consumes something like 1+ KB. This extension consumes
something like 45 bytes. Given that when we did TLS 1.1 added
16 bytes to every single CBC datagram, I'm having trouble getting
worked up about the additional overhead.


> So you want the IETF to rubber-stamp an obviously inferior approach
> because you prefered to come up with a solution in secret?

No, thats not what I want.

(1) It's your opinion that this is "obviously inferior". I don't
    agree, for reasons I've already indicated.

(2) I didn't prefer to come up with a solution in secret. I was
    informed of this issue in secret, worked with others to
    develop a fix, and then submitted it to the IETF for public
    review and comment. What, exactly, is it you think I did
    that was inappropriate, bearing in mind that I was informed
    of the issue under NDA?

More generally, I appreciate that you feel that you're technically
right and others are wrong, but I'd ask you to remember that
others may have come to other conclusions and that it doesn't
really help to imply as you do above that they're acting in bad
faith.

-Ekr