IETF Logo Mail Archive

Re: [TLS] simplistic renego protection

Eric Rescorla <ekr@networkresonance.com> Mon, 16 November 2009 11:33 UTC

Return-Path: <ekr@networkresonance.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CAC1D3A6906 for <tls@core3.amsl.com>; Mon, 16 Nov 2009 03:33:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.495
X-Spam-Level:
X-Spam-Status: No, score=-0.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZMdXO-Cr-TTD for <tls@core3.amsl.com>; Mon, 16 Nov 2009 03:33:07 -0800 (PST)
Received: from kilo.networkresonance.com (unknown [194.126.108.9]) by core3.amsl.com (Postfix) with ESMTP id BA5163A67CF for <tls@ietf.org>; Mon, 16 Nov 2009 03:33:06 -0800 (PST)
Received: from kilo.local (localhost [127.0.0.1]) by kilo.networkresonance.com (Postfix) with ESMTP id ED8DA69F8DC; Mon, 16 Nov 2009 13:34:24 +0200 (EET)
Date: Mon, 16 Nov 2009 13:34:24 +0200
From: Eric Rescorla <ekr@networkresonance.com>
To: mrex@sap.com
In-Reply-To: <200911161053.nAGAr1DS020959@fs4113.wdf.sap.corp>
References: <AC1CFD94F59A264488DC2BEC3E890DE5091A76B1@xmb-sjc-225.amer.cisco.com>
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20091116113424.ED8DA69F8DC@kilo.networkresonance.com>
Cc: tls@ietf.org
Subject: Re: [TLS] simplistic renego protection
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Nov 2009 11:33:07 -0000

At Mon, 16 Nov 2009 11:53:00 +0100 (MET),
Martin Rex wrote:
> 
> Joseph Salowey wrote:
> > > 
> > > I really like to hear convincing arguments why we need the 
> > > TLS extension in the renegotiation handshake, and why 
> > > changing the definition for the handshake message hash 
> > > instead is not a superior alternative.  In particular one 
> > > that will grow naturally into future TLS revisions.
> > 
> > [Joe] TLS Extensions is the standard way to extend the protocol.  Using
> > the ciphersuite field as a means to change the base protocol is a new
> > extension mechanism.  I don't think this is a particularly good thing
> > for TLS to grow into.  I don't see a reason to define a new extension
> > mechanism when we can achieve what is necessary using the existing
> > mechanism.   When TLS 1.2+x is defined in the future then it can address
> > the renegotiation problem as necessary and the version field will signal
> > the underlying changes.   
> 
> 
> You do not seem to understand the TLS renegotiation problem at all.
>
> We are NOT supposed to extend TLSv1.2, we are supposed to FIX
> all protocol versions of TLS out there SSLv3->TLSv1.2.

Perhaps you should consider that other people have a different view of
the problem than you do. In particular, I don't think there is 
anything like consensus that we need to fix SSLv3, a protocol
which was never controlled by IETF--and in fact wasn't even
published by it as informational.


> Requiring people to implement generic TLS extensions, something
> that was completely undefined even for TLSv1.0 and is still optional
> in TLSv1.2, 

Not that it matters, but his is incorrect. TLS 1.2 requires extension
processing. See S 7.4.1 of RFC 5246:

   Servers MUST NOT send this extension.  TLS servers MUST support
   receiving this extension.


> only to fix something that has nothing to do with
> TLS extensions and can be fixed much more easily without TLS extensions
> is a pretty bad idea and poor engineering.

You're entitled to your opinion, of course, but I'm unconvinced.



> Think about the lines of code for a client:

I don't agree with your analysis of code complexity, but even if
you were correct the implementation effort is in any case so
minimal compared to the size of the deployment problem
that it strikes me as largely irrelevant. Moreover, we already
have implementations of RI, so the marginal implementation
effort is even lower compared to doing something new.

-Ekr

v2.23.0 | Report a Bug | By Email