Re: [TLS] SCSV vs RI when both specified. Was: Updated draft

Marsh Ray <marsh@extendedsubset.com> Fri, 18 December 2009 20:13 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C445328C105 for <tls@core3.amsl.com>; Fri, 18 Dec 2009 12:13:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.591
X-Spam-Level:
X-Spam-Status: No, score=-2.591 tagged_above=-999 required=5 tests=[AWL=0.008, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SpdKHYfQEI3g for <tls@core3.amsl.com>; Fri, 18 Dec 2009 12:13:11 -0800 (PST)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id D0E9A28C0F9 for <tls@ietf.org>; Fri, 18 Dec 2009 12:13:11 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1NLjC4-000JMq-L1 for tls@ietf.org; Fri, 18 Dec 2009 20:12:56 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 928586678 for <tls@ietf.org>; Fri, 18 Dec 2009 20:12:55 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX19rIp1rHi68nsCGCPEJ/sMGw6C3PJpjpPY=
Message-ID: <4B2BE246.9040307@extendedsubset.com>
Date: Fri, 18 Dec 2009 14:12:54 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: "tls@ietf.org" <tls@ietf.org>
References: <200912181944.nBIJiLMU005565@fs4113.wdf.sap.corp>
In-Reply-To: <200912181944.nBIJiLMU005565@fs4113.wdf.sap.corp>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] SCSV vs RI when both specified. Was: Updated draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2009 20:13:12 -0000

Martin Rex wrote:
> Marsh Ray wrote:
>> Martin Rex wrote:
>>>
>>> TLS_RENEGO_PROTECTION_REQUEST is a request from the client to the
>>> server to perform a secure handshake and confirm this by sending
>>> TLS extension RI in ServerHello.
>> But what does that mean? What is "a secure handshake" if you're not
>> sending the RI extension? To the extent that this document is describing
>> how to perform a secure handshake, that definition is circular.
> 
> "A secure handshake" is one where client and server will check
> whether the contents of the TLS renegotiation RI match the
> verify_data from the Finished messages from the enclosing TLS session
> and TLS peers should abort the handshake if the conveyed information
> does not match.  The presence of an empty TLS extension RI in ClientHello
> is obviated by presence of SCSV in this ClientHello handshake message.

OK, let's see how that definition passes the substitution test:

"TLS_RENEGO_PROTECTION_REQUEST is a request from the client to the
server to perform a handshake where client and server will check whether
the contents of the TLS renegotiation RI match the verify_data from the
Finished messages from the enclosing TLS session and TLS peers should
abort the handshake if the conveyed information does not match and
confirm this by sending TLS extension RI in ServerHello."

Hmm, complete nonsense. That definition talks about how RI data is
interpreted which is the antithesis of what SCSV is about.

Come up with a way to complete a sentence that begins with
"TLS_RENEGO_PROTECTION_REQUEST is" or "SCSV means" such that it
describes the three cases for it in a reasonably consistent way.

Real difficulties in doing this is, in my experience, a pretty good sign
that something is wrong with a design.

I think this is possible to do with wording (I) and much more
challenging with the others.

> Do not try to describe scenarios.  That is completely unecessary,
> very confusing and you may easily get the description of one of
> the cases wrong and cause confusion among implementors.

So you can't define SCSV, and I can't enumerate the scenarios where it
can be used either?

> The implementer's feedback was:
> In order to implement this MUST NOT I have to add two extra conditionals
> to the code, and I have to build test cases to check whether that doesn't
> break anything and whether I am compliant -- but in reality these
> two conditionals are completely useless, they do not add any value
> to the protocol and neither to the security.

I would build those test cases anyway.

Having all cases defined and handled in an intentional way (even where
they are defined to be ignored) is a good thing and inherently valuable.
Perhaps nowhere more so than in the TLS initial hello handshaking.

- Marsh