Re: [TLS] Please be specific: RI alone, RI with MCSV, or MCSV alone
Martin Rex <mrex@sap.com> Thu, 10 December 2009 21:22 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E49D23A690F for <tls@core3.amsl.com>; Thu, 10 Dec 2009 13:22:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.193
X-Spam-Level:
X-Spam-Status: No, score=-6.193 tagged_above=-999 required=5 tests=[AWL=0.056, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I9UIR95c+8+M for <tls@core3.amsl.com>; Thu, 10 Dec 2009 13:22:59 -0800 (PST)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id C7A7B3A68C4 for <tls@ietf.org>; Thu, 10 Dec 2009 13:22:58 -0800 (PST)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id nBALMk09018219 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <tls@ietf.org>; Thu, 10 Dec 2009 22:22:46 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200912102122.nBALMjVq007470@fs4113.wdf.sap.corp>
Orig-To: paul.hoffman@vpnc.org (Paul Hoffman)
To: tls@ietf.org
Cc: tls@ietf.org
Date: Thu, 10 Dec 2009 21:50:16 +0100
In-Reply-To: <p062408c2c746ec9c71b9@[75.101.18.87]> from "Paul Hoffman" at Dec 10, 9 10:23:50 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
Sender: mrex@sap.com
X-Scanner: Virus Scanner virwal05
X-SAP: out
Subject: Re: [TLS] Please be specific: RI alone, RI with MCSV, or MCSV alone
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2009 21:23:00 -0000
Paul Hoffman wrote: > > While following the numerous threads, it seems that some people are > advocating adding MCSV to RI, while others are advocating RI by itself > (no MCSV), while others are advocating MCSV by itself (instead of RI). > > Can people please be more specific which proposal they are advocating? > It greatly affects the conversation. Thanks! Provided that we mean this: (1) RI by itself (no MCSV) = draft-rescorla-tls-renegotiation-00 (2) RI with MCSV = draft-ietf-tls-renegotiation-01 (3) MCSV (no RI) = draft-mrex-tls-secure-renegotiation-03 I'm firmly against (1) I prefer (3) I could live with (2) if the requirements for MSCV were tightened to be as non-disruptive as possible. I have been trying to explain what those requirements are. The overloaded semantics of TLS extension RI create special cases where some implementors have been advocating inappropriate behaviour for implementations in backwards interop scenarios. For some implementors, non-disruptive backwards interop provisions are familiar, and they _might_ get it right with as little guidance as draft-ietf-tls-renegotiation-01 currently provides if they've been following the discussion sleep over their implementation for several days and test it extensively. The discussion seems to indicate that even experienced implementers may get it wrong, and that some are much more eager to ship than to think about it and test. And if implementors need an extensions-intolerant server for testing -- that shouldn't be a problem, you can easily make one yourself; it is likely a simple 1-2 LoC change to your own code. ;-) -Martin
- [TLS] Please be specific: RI alone, RI with MCSV,… Paul Hoffman
- Re: [TLS] Please be specific: RI alone, RI with M… Marsh Ray
- Re: [TLS] Please be specific: RI alone, RI with M… Martin Rex
- Re: [TLS] Please be specific: RI alone, RI with M… Michael Gray
- Re: [TLS] Please be specific: RI alone, RI with M… Robert Relyea
- Re: [TLS] Please be specific: RI alone, RI with M… Nelson B Bolyard
- Re: [TLS] Please be specific: RI alone, RI with M… Yngve Nysaeter Pettersen