IETF Logo Mail Archive

Re: [TLS] Working Group Last Call fordraft-ietf-tls-downgrade-scsv-00

Brian Smith <brian@briansmith.org> Tue, 21 October 2014 20:42 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 438721A6FB1 for <tls@ietfa.amsl.com>; Tue, 21 Oct 2014 13:42:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m2zKy6crNYfT for <tls@ietfa.amsl.com>; Tue, 21 Oct 2014 13:42:47 -0700 (PDT)
Received: from mail-oi0-f53.google.com (mail-oi0-f53.google.com [209.85.218.53]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF5A81A6FE0 for <tls@ietf.org>; Tue, 21 Oct 2014 13:42:47 -0700 (PDT)
Received: by mail-oi0-f53.google.com with SMTP id v63so1635587oia.40 for <tls@ietf.org>; Tue, 21 Oct 2014 13:42:47 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=FqQj9wVXOOCZWi/zLxAVmX0o1SQEs+Ad9UsYDlkoggU=; b=QHukTw596LtLrp0aBnyyXpdZO9ONNbYiDhT3LX7v8u2k9uurRKQq+sY+mx7Y7ZBKq+ teWDBsVSapeWAy9pXhP3Z63ZMKCqbqhdC1Og1U37PyqbXfV+igxrP+dpSpNi4Z27CKUv TT/Ka+hh9pPIuswk7jKAnZ6K44ahW24UdtV0NMsx8Uj9w/p5BeqYrOmiEX5AY1GPJSlW aPpAnyFAPvnhjTzcNN8sNLHf5K1oDSVHxUvQX3qAlvr1Lqrdwz7MDwTSNoMhkrFKmbc1 yIBd+Xsc3SlSvANvC/1aNXHKW9U82E9xQKtYppPL3raXX59Y7XXdAdLeattGJzVRXRSc NVDA==
X-Gm-Message-State: ALoCoQlDiiRIvCNVs6vpJ5DBgLA0oThA4lK1swmT0Bf1qitxWu80nICxc2lJIae8ICZFdMQ6wlGy
MIME-Version: 1.0
X-Received: by 10.60.74.137 with SMTP id t9mr6071344oev.34.1413924167031; Tue, 21 Oct 2014 13:42:47 -0700 (PDT)
Received: by 10.76.93.9 with HTTP; Tue, 21 Oct 2014 13:42:46 -0700 (PDT)
In-Reply-To: <20141021100324.GA12704@LK-Perkele-VII>
References: <543F9893.806@redhat.com> <543FA0A0.1030205@polarssl.org> <543FCAED.50502@redhat.com> <543FCC90.7020408@polarssl.org> <1413468247.17221.8.camel@dhcp-2-127.brq.redhat.com> <CADMpkcLf+p5J600gueqzKec4nKuo78Xrr-auW+fyapuqM13Z4w@mail.gmail.com> <1413805668.2597.10.camel@dhcp-2-127.brq.redhat.com> <CABkgnnVzzzLMCcMrUs0QcH1A+RBCgr3qM7bFW339oL7sg2mfqw@mail.gmail.com> <CAFewVt6Khb4CCK4TbyG-D2oO1z=MrwuWSGgwhT98CRMaZ9iM0A@mail.gmail.com> <54462E27.30607@comodo.com> <20141021100324.GA12704@LK-Perkele-VII>
Date: Tue, 21 Oct 2014 13:42:46 -0700
Message-ID: <CAFewVt4TRBqdjBs5wsYXEKT0EPJ9Ghndmcm9XbU07E9gWdWKsQ@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Content-Type: multipart/alternative; boundary="001a113439aab7339e0505f4df8e"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/KmgtUfGsD_JaDLZoBXtlh0oOvlE
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Working Group Last Call fordraft-ietf-tls-downgrade-scsv-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Oct 2014 20:42:49 -0000

On Tue, Oct 21, 2014 at 3:03 AM, Ilari Liusvaara <
ilari.liusvaara@elisanet.fi> wrote:

> On Tue, Oct 21, 2014 at 10:57:59AM +0100, Rob Stradling wrote:
> >
> > How about negotiating TLS 1.3 using yet another new SCSV?
> >
> > Yes, I know, that'd be even more of a hack than negotiating TLS 1.3 with
> a
> > new extension.  But since server-side support for extensions is optional,
> > and since there are servers out there that are extension-intolerant, I
> > figured I should at least suggest the idea.  ;-)
>
> One needs extensions anyway in order to transport data required for
> TLS 1.3 handshake (groups supported and key shares for subset of those).
>

 Yes, and also more fundamental things like the server_name and
status_request extensions. I think after TLS_FALLBACK_SCSV, we should avoid
new SCSVs.

Cheers,
Brian

v2.23.0 | Report a Bug | By Email