Re: [TLS] Updated draft

Michael D'Errico <> Thu, 17 December 2009 18:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AA27B3A696B for <>; Thu, 17 Dec 2009 10:08:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.529
X-Spam-Status: No, score=-2.529 tagged_above=-999 required=5 tests=[AWL=0.070, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id N3uJd46Udgbv for <>; Thu, 17 Dec 2009 10:08:04 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 97EA83A680F for <>; Thu, 17 Dec 2009 10:08:04 -0800 (PST)
Received: from (unknown []) by (Postfix) with ESMTP id 8A789890D0 for <>; Thu, 17 Dec 2009 13:07:49 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=7oC0nRSTZoyv VIZ1UKgKA2zqt2w=; b=DBwl+bX/dvNIJAJxzz2iCl/u8CRw219LuIzQudZjutcI yTbyZSKZgB7UJ0f8wQHXBhnJFfgUCM008FNDOEXy8fS8e8D80N9ty9IQPOglMsly wZz0GWSr6VTNgPfR4/UM6WIUgt/KkzYVk3YN92Fq+Kf5DnwxlR1SUQQdaS7PivE=
DomainKey-Signature: a=rsa-sha1; c=nofws;; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=ZuciBs 9GmGJqkDdOJTe/AVa/34wUu6+0adtlCoaCzWk6Yw+Yp5tAjSDBoxg7Fo14onAHhg x0aRCL3ccB2jKO0P/Gt34PaW6XoxKt8OAoB5xnRyw4gg7ZJIuAqWT/dN08eyssbE 5ZS+YmexsCO8xGcVQK9jkCfUqTRadId/baf5E=
Received: from a-pb-sasl-quonix. (unknown []) by (Postfix) with ESMTP id 8582D890CF for <>; Thu, 17 Dec 2009 13:07:49 -0500 (EST)
Received: from administrators-macbook-pro.local (unknown []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 89E1D890CE for <>; Thu, 17 Dec 2009 13:07:48 -0500 (EST)
Message-ID: <>
Date: Thu, 17 Dec 2009 10:09:11 -0800
From: Michael D'Errico <>
User-Agent: Thunderbird (Macintosh/20090812)
MIME-Version: 1.0
To: TLS Mailing List <>
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Pobox-Relay-ID: 16201782-EB37-11DE-BDF4-DC0DEE7EF46B-38729857!
Subject: Re: [TLS] Updated draft
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 17 Dec 2009 18:08:05 -0000


In section 4 it says:

    Because the SCSV is equivalent to an empty "renegotiation_info"
    extension, any ClientHello used for secure renegotiation MUST include
    the "renegotiation_info" extension and not the SCSV.

I would rather see the text say that "an RI extension takes precedence
over the SCSV" than to say that you must not send SCSV when you send RI.
It is easier for a client to simply include SCSV in every ClientHello.
It is also trivial for a server to handle this, as I pointed out in my
last message.


Eric Rescorla wrote:
> I've just submitted a new draft that is intended to enact most of
> Pasi's message as well as the noncontroversial editorial comments
> people have raised. Here is what I know still needs work:
> - The final resolution to what's sent in the legacy renegotiation
>   case (see Pasi's message and the text I sent earlier).
> - New text for the identity section in Security considerations.
>   (Pending closure on the list).
> - Make a pass through for clarity for implementors. 
>   (Also, I have some text here that Pasi contributed that I
>   need to work in).
> If you think you made a comment which is noncontroversial
> that didn't make it in and/or I screwed up incorporating your
> comment, please let me know and I'll try to fix.
> For some reason, the submission tool is forcing manual 
> submission. In the interim you can find it at:
> Thanks,
> -Ekr