IETF Logo Mail Archive

Re: [TLS] Renego Indication RI patch interaction with TLS major version interop

"Brian Smith" <brian@briansmith.org> Tue, 15 June 2010 22:12 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 07C243A699A for <tls@core3.amsl.com>; Tue, 15 Jun 2010 15:12:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EXDH6zKNUm0t for <tls@core3.amsl.com>; Tue, 15 Jun 2010 15:12:36 -0700 (PDT)
Received: from mxout-08.mxes.net (mxout-08.mxes.net [216.86.168.183]) by core3.amsl.com (Postfix) with ESMTP id 0BD2B3A6943 for <TLS@ietf.org>; Tue, 15 Jun 2010 15:12:35 -0700 (PDT)
Received: from T60 (unknown [70.245.69.20]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id DBEEF509DB; Tue, 15 Jun 2010 18:12:33 -0400 (EDT)
From: Brian Smith <brian@briansmith.org>
To: 'Marsh Ray' <marsh@extendedsubset.com>, TLS@ietf.org
References: <4C17AA89.8060904@extendedsubset.com> <4C17B2FE.7080604@pobox.com> <4C17B7C9.8090006@extendedsubset.com>
In-Reply-To: <4C17B7C9.8090006@extendedsubset.com>
Date: Tue, 15 Jun 2010 17:12:30 -0500
Message-ID: <000f01cb0cd7$dc390f20$94ab2d60$@briansmith.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQKzj5CA6erlZBussgMZ+rkdV5Xn+QKPcywkAjgTch4B5SWvpg==
Content-Language: en-us
Subject: Re: [TLS] Renego Indication RI patch interaction with TLS major version interop
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2010 22:12:38 -0000

Marsh Ray wrote:
> On 6/15/2010 11:46 AM, Brian Smith wrote:
> > I don't think it is a big deal; the main consequence is that all TLS
> > version numbers should continue to start with 0x03.
> 
> That's not something compliant servers are allowed to decide. The power to
set
> protocol version numbering policy belongs to the IETF and IANA for good
reason.

Marsh,

I just mean that the article is misleading in that it implies that the vast
majority of servers are implementing the renegotiation protection draft
incorrectly, when really they are implementing something else wrongly that
doesn't have a *practical* effect on renegotiation protection. If the test
fails for 0x03FF then, yes, there may be something to worry about. But I
think we would all be quite relieved if supporting versions >= 0x0400 was
one of the top 10 (or 100) most pressing issues regarding TLS. 

Regarding NSS on servers: I think it will become increasingly common due to
initiatives like the following
http://fedoraproject.org/wiki/FedoraCryptoConsolidation
http://en.opensuse.org/SharedCertStore

Regards,
Brian

v2.23.0 | Report a Bug | By Email