Re: [TLS] draft-ietf-tls-renegotation: next
Marsh Ray <marsh@extendedsubset.com> Thu, 17 December 2009 21:38 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B27A43A6832 for <tls@core3.amsl.com>; Thu, 17 Dec 2009 13:38:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.591
X-Spam-Level:
X-Spam-Status: No, score=-2.591 tagged_above=-999 required=5 tests=[AWL=0.008, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ltO5q91azFaV for <tls@core3.amsl.com>; Thu, 17 Dec 2009 13:38:08 -0800 (PST)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 2780E3A6403 for <tls@ietf.org>; Thu, 17 Dec 2009 13:38:08 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1NLO2j-000Lr7-Bz; Thu, 17 Dec 2009 21:37:53 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 4892B6678; Thu, 17 Dec 2009 21:37:51 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1/S9Wpq4n3QHFBie8JXnXlgmhAbGWrnjaY=
Message-ID: <4B2AA4AE.5070306@extendedsubset.com>
Date: Thu, 17 Dec 2009 15:37:50 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: mrex@sap.com
References: <200912171858.nBHIwG5H008367@fs4113.wdf.sap.corp>
In-Reply-To: <200912171858.nBHIwG5H008367@fs4113.wdf.sap.corp>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] draft-ietf-tls-renegotation: next
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2009 21:38:09 -0000
Martin Rex wrote: > Marsh Ray wrote: >>> But as I described, >>> these are going to be servers that do not renegotiate anyway, >> TLS does not define such a thing as a "server that does not >> renegotiate". There may be in fact some application protocols or servers >> which do not, but TLS provide no way to indicate this in the handshake. > > As evident from rfc-5246 Appendix D. renegotiation is an optional > feature of the SSLv3/TLS protocol family and not available in all > implementations of SSLv3/TLS. > > Since you are still listed as an author of the spec, (Shhh...I'm hoping they don't catch on.) > I consider > your interpretation fairly authoritative for what the spec intends > to say. As you wish, I shall interpret this matter to the full extent of my authority. > --which means that there is a defect, because it does currently > _not_ specify the behaviour for non-renegotiating servers A protocol spec that says "this is how an initial handshake is to be done" and "this is how a renegotiating handshake works" is not defective simply because some uses of the protocol choose not to do renegotiation. > (which you incorrectly assumed to not exist). I have done nothing of the sort. I am quite sure there are TLS clients and servers which absolutely do not renegotiate. I don't think any of the widely used general purpose implementations are in that category. But the TLS specs don't define this in the protocol such that it can communicated as part of the handshake which establishes the security parameters. Therefore it is not useful in making security decisions at the TLS level. > Please fix this defect _before_ publishing this specification. I don't see it, sorry. > The only reason why secure TLS renegotiation can be considered > an update to the existing installed base at all (and not a different > non-interoperable protocol), is that renegotiation has never been > a core element of SSLv3/TLS and is optional-to-implement. That doesn't make sense to me. > Essentially, the secure renegotiation spec is deprecating the > old renegotiation and defining a new, optional, secure renegotiation. Don't forget the initial handshake has new requirements, too. > Describing potential vulnerabilities from using backwards-interoble > renegotiation with the installed base and discouraging the use of > that old optional feature is fine. Encouraging the use the > new optional and secure renegotiation is also no problem. > Describing security implications of old TLS peers that still > offer old renegotiation is also no problem. > > Discouraging the interoperability with compliant but > not updated SSLv3->TLSv1.2 on the core protocol elements > (aka initial TLS handshake) is inacceptable, Yes, my personal and professional mission is to discourage interoperability where such interoperability does not deliver the stated and implied guarantees for the security of the data. Too bad if you don't like it. My own livelihood, as well as that of most of my friends, depends pretty directly on the security of this protocol. I have personally recommended enough SSL/TLS-based soultions at this point that I feel quite obligated to work on keeping it healthy. Nevertheless, the wording of the current spec leaves the option of interoperating (possibly insecurely) with unpatched endpoints up to vendors and their customers to decide. My personal recommendation is to be in this compatible mode for as short a time as possible because it does not offer the full security guarantees intended for TLS. And I'm not letting folks go around making misrepresentations about the security of broken versions of it. > because it would > make updated TLS peers non-compliant with the original TLS spec, > which implies these peers are using a different protocol. As well they should, because the current SSLv3 and TLS specs are broken, in a worse way even than SSLv2. - Marsh
- [TLS] draft-ietf-tls-renegotation: next steps Pasi.Eronen
- Re: [TLS] draft-ietf-tls-renegotation: next steps Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next steps Paul Hoffman
- Re: [TLS] draft-ietf-tls-renegotation: next steps Michael D'Errico
- Re: [TLS] draft-ietf-tls-renegotation: next steps Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next steps Marsh Ray
- Re: [TLS] draft-ietf-tls-renegotation: next steps Eric Rescorla
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Kemp, David P.
- Re: [TLS] draft-ietf-tls-renegotation: next steps Marsh Ray
- Re: [TLS] draft-ietf-tls-renegotation: next steps Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Marsh Ray
- [TLS] Generic process issues (Re: Re: draft-ietf-… Nicolas Williams
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Marsh Ray
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next steps David-Sarah Hopwood
- Re: [TLS] draft-ietf-tls-renegotation: next steps David-Sarah Hopwood
- Re: [TLS] draft-ietf-tls-renegotation: next steps Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Marsh Ray
- Re: [TLS] draft-ietf-tls-renegotation: next Pasi.Eronen
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next Marsh Ray
- Re: [TLS] draft-ietf-tls-renegotation: next Kyle Hamilton
- Re: [TLS] draft-ietf-tls-renegotation: next Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next Michael D'Errico
- Re: [TLS] draft-ietf-tls-renegotation: next David-Sarah Hopwood