IETF Logo Mail Archive

Re: [TLS] Last Call: draft-ietf-tls-renegotiation (Transport Layer

Martin Rex <mrex@sap.com> Thu, 03 December 2009 01:31 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 322EB3A6822 for <tls@core3.amsl.com>; Wed, 2 Dec 2009 17:31:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.192
X-Spam-Level:
X-Spam-Status: No, score=-6.192 tagged_above=-999 required=5 tests=[AWL=0.057, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w7oTsbMe14Iy for <tls@core3.amsl.com>; Wed, 2 Dec 2009 17:30:59 -0800 (PST)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 1F8713A6358 for <tls@ietf.org>; Wed, 2 Dec 2009 17:30:58 -0800 (PST)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id nB31UkNv009028 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 3 Dec 2009 02:30:46 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200912030130.nB31UjDb000386@fs4113.wdf.sap.corp>
To: ekr@networkresonance.com
Date: Thu, 03 Dec 2009 02:30:45 +0100
In-Reply-To: <20091203010121.BB32F6C47FD@kilo.networkresonance.com> from "Eric Rescorla" at Dec 2, 9 05:01:21 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Last Call: draft-ietf-tls-renegotiation (Transport Layer
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2009 01:31:00 -0000

Eric Rescorla wrote:
> 
> At Thu, 3 Dec 2009 01:38:10 +0100 (MET), Martin Rex wrote:
> > 
> > Nelson B Bolyard wrote:
> > > > 
> > > > Hold on now, is there any reasonable interpretation of
> > > > draft-ietf-tls-renegotiation which "codifies the behavior of those
> > > > non-conformant servers"?
> > > 
> > > Any proposal which would have us send the "Magic Cipher Suite" *INSTEAD OF*
> > > (rather than in addition to) the RI extension is such an attempt.
> > > Such proposals now exist.
> > 
> > It is not the first of it's kind.
> > 
> > The first is called rfc-5246, which is at proposed standard for a year
> > and contains a broken TLS extensions definition called signature_algorithm,
> > where the Server _uses_ the extension but MUST NOT confirm its use
> > through ServerHello.
> 
> To be honest, I don't recall the discussion that led to us prohibiting
> the server from sending this extension at all, however I don't believe
> it was about codifying the behavior of nonconformant servers. Rather,
> (and my vague memory is that Pasi proposed this text so maybe he
> remembers better) it was that this was a signal from the client to the
> server and there was an existing method for the server to signal its
> preferences when it wanted a signature, so there didn't seem to be
> much point in the server sending anything back.
> 
> Note that I'm not saying this was necessarily the best design decision
> in the history of the universe, but I'm not sure why you're saying it's
> broken.

It breaks the negotiation architecture:
   C->S   (Extended)ClientHello
   S->C   (Extended)ServerHello

I think that this negotiation architecture is useful.

And I don't mind when MCSV is going to be the only cipher suite value
that is given the "I'm an extension" status for the forseeable future
(we do require WG consensus and IESG approval for this anyway).

What I do not like is an overly religious attitude that is against
the intention and spirit of TLS extension described by this
previously quoted statement from rfc-3546:

   Clients typically request the use of extensions via the extended
   client hello message described in Section 2.1.


Trying to avoid vagueness in a spec is OK, but the choice of very
restrictive wording in order to avoid vagueness might turn out to
be too restrictive for some real world requirements, and then
it is sometimes necessary to apply common sense and re-focus on
the intent behind a restriction and not hopelessly stick to the
words (that were chosen with a different mindset).


Too restrictive words for the "change of identities" during
renegotiation may also do a lot of harm.


-Martin

v2.23.0 | Report a Bug | By Email