Re: [TLS] One approach to rollback protection
Adam Langley <agl@google.com> Tue, 27 September 2011 00:54 UTC
Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BADB1F0C86 for <tls@ietfa.amsl.com>; Mon, 26 Sep 2011 17:54:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.927
X-Spam-Level:
X-Spam-Status: No, score=-105.927 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NFH8LhhQoSnI for <tls@ietfa.amsl.com>; Mon, 26 Sep 2011 17:54:07 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.67]) by ietfa.amsl.com (Postfix) with ESMTP id 7854421F8CEC for <tls@ietf.org>; Mon, 26 Sep 2011 17:54:07 -0700 (PDT)
Received: from hpaq14.eem.corp.google.com (hpaq14.eem.corp.google.com [172.25.149.14]) by smtp-out.google.com with ESMTP id p8R0ukKU021733 for <tls@ietf.org>; Mon, 26 Sep 2011 17:56:46 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1317085006; bh=SebTVZqCuHpEYWgxq1o5BOEsfNU=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=TCwojykSS3CetJ0ZcNSTMBNy9SC6yV4ONComON/oIA4jbM26vr92rhcA5a5le+1db MDRaCZPbisiFLosboiTnw==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=dkim-signature:mime-version:in-reply-to:references:date: message-id:subject:from:to:cc:content-type:x-system-of-record; b=JVb8Q3vafUk/MSl50mX++EqzdUuYwpR3Lt8nj2tZcjHH2RLg24fUFGGF7QXF4GHm9 RKsYMiSWBopAQMyK0IIgA==
Received: from iadx2 (iadx2.prod.google.com [10.12.150.2]) by hpaq14.eem.corp.google.com with ESMTP id p8R0ueTH020640 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <tls@ietf.org>; Mon, 26 Sep 2011 17:56:44 -0700
Received: by iadx2 with SMTP id x2so6015547iad.20 for <tls@ietf.org>; Mon, 26 Sep 2011 17:56:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=6qigi/sMn4evp19YQAZva32fKnzq8vF+XvUCRTxeI7w=; b=cQIU0zibWkErpeTDd0Bxctp2g9iaNMPOkn5kqZ9dcN3TflScWEo8OG+Iodl5GlxwlB 6jq9q1+qBTFQ3VK9ymnw==
Received: by 10.231.28.205 with SMTP id n13mr2861848ibc.47.1317085004674; Mon, 26 Sep 2011 17:56:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.28.205 with SMTP id n13mr2861826ibc.47.1317085003513; Mon, 26 Sep 2011 17:56:43 -0700 (PDT)
Received: by 10.231.19.137 with HTTP; Mon, 26 Sep 2011 17:56:43 -0700 (PDT)
In-Reply-To: <CABcZeBNFtVBh7a=j4LE73Q0c-W8KGe4aKNBVZam1qOZr=aRaRQ@mail.gmail.com>
References: <CABcZeBNFtVBh7a=j4LE73Q0c-W8KGe4aKNBVZam1qOZr=aRaRQ@mail.gmail.com>
Date: Mon, 26 Sep 2011 20:56:43 -0400
Message-ID: <CAL9PXLybu+RTnHKSw52Crq7Pt09sAiGcsTz_BnRJ_hxFVdjN4A@mail.gmail.com>
From: Adam Langley <agl@google.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: text/plain; charset="UTF-8"
X-System-Of-Record: true
Cc: tls@ietf.org
Subject: Re: [TLS] One approach to rollback protection
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Sep 2011 00:54:08 -0000
On Mon, Sep 26, 2011 at 7:44 PM, Eric Rescorla <ekr@rtfm.com> wrote: > I've taken an initial crack at a draft for this: > http://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-version-cs.txt In Table 1 you list TLS 1.1 twice. It has been suggested by Yngve that the existing SSLv3, renego SCSV be used to indicate TLS 1.0 support. That's something that I suspect we will try. > If the SCSV value is present and is not equal to ClientHello.client_version, then the server MUST terminate the handshake with a fatal "handshake_failure" alert. This doesn't really make the deployment of new TLS versions that much easier. The client would still have to try 1.2, 1.1, 1.0 etc. What would be helpful is if the server, seeing a TLS 1.2 SCSV, treated the client as if it has advertised 1.2. Cheers AGL
- [TLS] One approach to rollback protection Eric Rescorla
- Re: [TLS] One approach to rollback protection Eric Rescorla
- Re: [TLS] One approach to rollback protection Nico Williams
- Re: [TLS] One approach to rollback protection Martin Rex
- Re: [TLS] One approach to rollback protection Eric Rescorla
- Re: [TLS] One approach to rollback protection Martin Rex
- Re: [TLS] One approach to rollback protection Eric Rescorla
- Re: [TLS] One approach to rollback protection Martin Rex
- Re: [TLS] One approach to rollback protection Adam Langley
- Re: [TLS] One approach to rollback protection Eric Rescorla
- Re: [TLS] One approach to rollback protection Eric Rescorla
- Re: [TLS] One approach to rollback protection Martin Rex
- Re: [TLS] One approach to rollback protection Martin Rex
- Re: [TLS] One approach to rollback protection Adam Langley
- Re: [TLS] One approach to rollback protection Marsh Ray
- Re: [TLS] One approach to rollback protection Juho Vähä-Herttua
- Re: [TLS] One approach to rollback protection Nikos Mavrogiannopoulos
- Re: [TLS] One approach to rollback protection Yoav Nir
- Re: [TLS] One approach to rollback protection Dan Winship
- Re: [TLS] One approach to rollback protection Nikos Mavrogiannopoulos
- Re: [TLS] One approach to rollback protection Badra
- Re: [TLS] One approach to rollback protection Matt McCutchen
- Re: [TLS] One approach to rollback protection Martin Rex
- Re: [TLS] One approach to rollback protection Yngve N. Pettersen
- Re: [TLS] One approach to rollback protection Martin Rex
- Re: [TLS] One approach to rollback protection Martin Rex
- Re: [TLS] One approach to rollback protection Nikos Mavrogiannopoulos
- Re: [TLS] One approach to rollback protection Martin Rex