Re: [TLS] Please be specific: RI alone, RI with MCSV, or MCSV alone

[Martin Rex <mrex@sap.com>]

Paul Hoffman wrote:
> 
> While following the numerous threads, it seems that some people are
> advocating adding MCSV to RI, while others are advocating RI by itself
> (no MCSV), while others are advocating MCSV by itself (instead of RI).
> 
> Can people please be more specific which proposal they are advocating?
> It greatly affects the conversation. Thanks!

Provided that we mean this:

(1) RI by itself (no MCSV) = draft-rescorla-tls-renegotiation-00

(2) RI with MCSV = draft-ietf-tls-renegotiation-01

(3) MCSV (no RI) = draft-mrex-tls-secure-renegotiation-03


I'm firmly against (1)

I prefer (3)

I could live with (2) if the requirements for MSCV were tightened to be
as non-disruptive as possible.  I have been trying to explain what
those requirements are.  The overloaded semantics of TLS extension RI
create special cases where some implementors have been advocating
inappropriate behaviour for implementations in backwards interop
scenarios.


For some implementors, non-disruptive backwards interop provisions
are familiar, and they _might_ get it right with as little guidance
as draft-ietf-tls-renegotiation-01 currently provides if they've been
following the discussion sleep over their implementation for several
days and test it extensively.  The discussion seems to indicate that
even experienced implementers may get it wrong, and that some
are much more eager to ship than to think about it and test.


And if implementors need an extensions-intolerant server for testing
-- that shouldn't be a problem, you can easily make one yourself;
it is likely a simple 1-2 LoC change to your own code.  ;-)


-Martin