Re: [TLS] Updated draft
Martin Rex <mrex@sap.com> Fri, 18 December 2009 17:14 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6C0503A67F1 for <tls@core3.amsl.com>; Fri, 18 Dec 2009 09:14:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.897
X-Spam-Level:
X-Spam-Status: No, score=-5.897 tagged_above=-999 required=5 tests=[AWL=-0.248, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_45=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RmvZXTaFveHF for <tls@core3.amsl.com>; Fri, 18 Dec 2009 09:14:11 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id C628C3A68E8 for <tls@ietf.org>; Fri, 18 Dec 2009 09:14:10 -0800 (PST)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id nBIHDoQI025064 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 18 Dec 2009 18:13:51 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200912181713.nBIHDo9C026697@fs4113.wdf.sap.corp>
To: marsh@extendedsubset.com
Date: Fri, 18 Dec 2009 18:13:50 +0100
In-Reply-To: <4B2BAFAC.9020501@extendedsubset.com> from "Marsh Ray" at Dec 18, 9 10:37:00 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: rdugal@certicom.com, tls@ietf.org
Subject: Re: [TLS] Updated draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2009 17:14:12 -0000
Marsh Ray wrote: > > Robert Dugal wrote: > > Oops, you're right. I misstated what I'd like the draft to allow. > > What I'd like is the option to always send the SCSV in the > > ClientHello and on renegotiation requests send the SCSV + RI > > extension in the ClientHello. > > That certainly sounds like a reasonably minor change to make. Full agreement. > > I don't recall seeing anyone propose wording changes that would allow > such behavior, I can help you solve that problem: http://www.imc.org/ietf-tls/mail-archive/msg11082.html http://www.ietf.org/mail-archive/web/tls/current/msg05305.html I know how you feel, I'm having analogus problem with my memory, I can not remember anyone making a technical argument for this particular MUST NOT here. I already asked Pasi: http://www.ietf.org/mail-archive/web/tls/current/msg05401.html but he doesn't seem to recall anything either. > > Currently, the SCSV achieves its primary objective with a very simple > definition. It has "exactly the same semantics as an empty > 'renegotiation_info' extension". That seems to be a fairly simple copy&paste error, and can easily be fixed by simple wordsmithing. It is fairly common that an initially beautiful wording turns out to add unnecessary implementation complexity when the first implementors get at the code. That usually isn't a problem, since the IETF favours running code over wording in the spec. Implementors feedback is extremely valuable. > > Personally, I'd prefer that we don't propose (and re-propose) design > features at this point. We're discussing a simple implementation detail, it does not touch the design of the underlying architecture. > > If anyone sees a security flaw or attack against a correct > implementation of draft-ietf-tls-renegotiation-02, please please speak up. If anyone sees a security flaw or technical problem with dropping this MUST NOT, then please speak up. -Martin
- [TLS] Updated draft Eric Rescorla
- Re: [TLS] Updated draft Michael D'Errico
- Re: [TLS] Updated draft Robert Dugal
- Re: [TLS] Updated draft Marsh Ray
- Re: [TLS] Updated draft Robert Dugal
- Re: [TLS] Updated draft Eric Rescorla
- Re: [TLS] Updated draft Martin Rex
- Re: [TLS] Updated draft Marsh Ray
- Re: [TLS] Updated draft Martin Rex
- Re: [TLS] Updated draft Michael D'Errico
- Re: [TLS] Updated draft Stephen Farrell
- Re: [TLS] Updated draft Martin Rex
- Re: [TLS] Updated draft Martin Rex
- Re: [TLS] Updated draft Marsh Ray
- Re: [TLS] Updated draft Martin Rex
- Re: [TLS] Updated draft Michael D'Errico
- [TLS] SCSV vs RI when both specified. Was: Update… Marsh Ray
- Re: [TLS] SCSV vs RI when both specified. Was: Up… Martin Rex
- [TLS] Apologies Martin Rex
- Re: [TLS] Updated draft - editorial tom.petch
- Re: [TLS] Updated draft tom.petch
- Re: [TLS] Updated draft Marsh Ray
- Re: [TLS] Updated draft tom.petch
- Re: [TLS] Updated draft: Minor Edits peter.robinson