Re: [TLS] What would be the point of removing signalling in TLS 1.3?

[Stefan Santesson <stefan@aaa-sec.com>]

If you fix the Finished message calculation, making it immune to the
renegotiation attack, and making it the standard Finished calculation for
1.3.... Then why would you need to signal that you are using the standard
Finished calculation?

/Stefan


On 09-11-26 8:01 PM, "David-Sarah Hopwood" <david-sarah@jacaranda.org>
wrote:

> Stefan Santesson wrote:
>> Consequently, if we design an updated Finished calculation now, we can keep
>> that in TLS 1.3 and just remove the signaling we now add for SSLv3 -> TLS
>> 1.2.
> 
> I really don't see any advantage in removing the signalling in TLS 1.3.
> It doesn't simplify anything.
> 
> For removing the signalling to work, we would have to specify in the
> *current* fix that:
> 
>  - sending a client version of {0x03, 0x04} or higher has the same
>    meaning as sending the client->server signal.
> 
>  - negotiating {0x03, 0x04} or higher has the same meaning as sending
>    the server->client signal.
> 
> That is just additional specification and implementation complexity, and
> more cases that need to be tested, compared to using the signalling forever
> and treating TLS 1.3+ in exactly the same way as TLS 1.0-1.2. Forget the
> number of extra bits on the wire (which is negligable); it's the complexity
> of the spec and of implementations, which necessarily have to support
> multiple versions, that matters.
> 
> The original SSLv3 design messed up renegotiation; we'll just have to live
> with some ugliness as a result of fixing it.