IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00

mrex@sap.com (Martin Rex) Wed, 15 October 2014 18:52 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 295191A90C7 for <tls@ietfa.amsl.com>; Wed, 15 Oct 2014 11:52:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.551
X-Spam-Level:
X-Spam-Status: No, score=-8.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_INVITATION=-2, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Be3z-xLWYbZE for <tls@ietfa.amsl.com>; Wed, 15 Oct 2014 11:52:19 -0700 (PDT)
Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64C3C1A90DD for <tls@ietf.org>; Wed, 15 Oct 2014 11:52:19 -0700 (PDT)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id 4B10B5520D; Wed, 15 Oct 2014 20:52:17 +0200 (CEST)
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 00AB941B9D; Wed, 15 Oct 2014 20:52:16 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id EE6371AEDF; Wed, 15 Oct 2014 20:52:16 +0200 (CEST)
In-Reply-To: <543E2D81.1050700@redhat.com>
To: Florian Weimer <fweimer@redhat.com>
Date: Wed, 15 Oct 2014 20:52:16 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20141015185216.EE6371AEDF@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/DKATqzuLb5c2AQ3e4NZ1ouM_2pg
Cc: tls@ietf.org
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Oct 2014 18:52:24 -0000

Florian Weimer wrote:
> Joseph Salowey (jsalowey) wrote:
>>
>> This is an announcement for the working group last call for
>> draft-ietf-tls-downgrade-scsv-00.  Please review the document
>> and send your comments to the list by Friday, October 17, 2014.
> 
> I'm strongly against this proposal. 

I'm also strongly opposed to this proposal, because it does not provide
any value--there is not one single *additional* TLS handshake that it
will make succeed, instead, the only thing that this proposal will
provide is either zero benefit or fatal interop failure, i.e. it
if there is any result from it it will be headaches to users, sysadmins
and helpdesks.

This proposal is as far opposite from the spirit of the IETF as
one can possibly get.


What we would need instead of this proposal, is one that will

  (1) make more TLS handshakes succeed

  (2) make more TLS handshakes succeed with new protocol features

  (3) make more TLS handshakes succeed with new protocol features
      for regular app clients that do not have re-connect fallback in place,
      and _without_ interfering with conservative ClientHellos that these
      clients use to maintain interop with old, "broken" servers out there.


The "downgrade-scsv" has the effective semantics of
"kick me if you can read this", which is pretty silly on my scorecard.


A reasonable alternative SCSV would have the semantics
"Dear Server, I'm a new, full-featured client and would really like
to send you a full-featured ClientHello, but didn't dare doing as
the first message on the connection because of all the old broken
servers out there which choke on feature-rich ClientHellos".

And a new Server's response to such an SCSV should be to
respond with a ServerHello+ServerHelloDone which carries the SCSV
in the ServerHello.cipher_suite = SCSV, which the client will
recognize and understand as an invitation to send the desired
full-featured ClientHello (on the very same existing connection
transparently).


-Martin

v2.23.0 | Report a Bug | By Email