Re: [TLS] 2nd WGLC: draft-ietf-tls-downgrade-scsv
Bodo Moeller <bmoeller@acm.org> Wed, 26 November 2014 09:36 UTC
Return-Path: <bmoeller@acm.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 852001A86EE for <tls@ietfa.amsl.com>; Wed, 26 Nov 2014 01:36:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.262
X-Spam-Level:
X-Spam-Status: No, score=-0.262 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3NHo8xwxEkCk for <tls@ietfa.amsl.com>; Wed, 26 Nov 2014 01:36:02 -0800 (PST)
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.131]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 191BA1A702F for <tls@ietf.org>; Wed, 26 Nov 2014 01:36:01 -0800 (PST)
Received: from mail-ob0-f182.google.com (mail-ob0-f182.google.com [209.85.214.182]) by mrelayeu.kundenserver.de (node=mreue007) with ESMTP (Nemesis) id 0MDa6j-1XhC8B0MST-00GqSQ; Wed, 26 Nov 2014 10:35:58 +0100
Received: by mail-ob0-f182.google.com with SMTP id m8so1888514obr.13 for <tls@ietf.org>; Wed, 26 Nov 2014 01:35:54 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.182.79.10 with SMTP id f10mr19845426obx.4.1416994554664; Wed, 26 Nov 2014 01:35:54 -0800 (PST)
Received: by 10.60.32.42 with HTTP; Wed, 26 Nov 2014 01:35:54 -0800 (PST)
In-Reply-To: <8FB8D433-184E-41DA-8DBD-E929B9E8E9C2@ieca.com>
References: <8FB8D433-184E-41DA-8DBD-E929B9E8E9C2@ieca.com>
Date: Wed, 26 Nov 2014 10:35:54 +0100
Message-ID: <CADMpkcJWWfEQG-RTAJx-CPr3AONDFO1Bz2FK9RfH2gQsyvEYPw@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="047d7b2e40141460ef0508bfc1a7"
X-Provags-ID: V02:K0:XiTXdvJL3X1Tlot/HRPsFlpwW47c/P23mHfRWUPaWxl V/jm5W9MVfOSWQOhAAyp56l7c3skoAEz9Z3ZjE55Q0UXjxzUor 1edi/IecCt8NTICByTBjS709AkvRc3e0S1oVvNZdxRyYMD48G3 Cy5tnrWwb5+mLqsAYgE6Yk/2TzBYvLLkpQKEVfAZCnhU3Vyxc2 3V5ZjnWP0UDJKfkUW1MPoxrm8DgUSnE25AdMJ1YFmNdJVA2DLs +P8gYX44+L8EmAefaZC+bez3ZoHs8MGoOuajsUxNuPk6nV3lLx IacYuukmWWZJBUbgrM/P1nl48ZpS+rZoRemaYm4o7aD9QKffpi eSRzsuDj8kIMN8YnuHd44RCmijq0R6XS8dh0UUhKUtOSVfba68 e896PrqEDeG6lqHrhmdh/Yrj5uJoRqLXJ06oUWYBtTB93PTmnF DCc4t
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/NOH1TR1caLyhxQsH62JqOjs-zZo
Subject: Re: [TLS] 2nd WGLC: draft-ietf-tls-downgrade-scsv
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Nov 2014 09:36:05 -0000
Sean Turner <turners@ieca.com>: This message initiates the 2nd WGLC for draft-ietf-tls-downgrade-scsv-02. > Please review the document and send your comments to the list by Friday, > December 12, 2014. > > [...] The scope of this WGLC is however limited to making sure that the > text that has been added represents WG consensus. For example, rehashing > whether the documented solution should use an extension or cipher suite is > not in scope of this review. > The relevant part from the IETF-91 minutes ( http://www.ietf.org/proceedings/91/minutes/minutes-91-tls) Downgrading SCSV Very close to finished with WG LC Martin Thompson: still questions of how the step-by-step is done Maybe specify what version you tried and failed Andrei Popov: Would like this to be an extension Ekr (Eric Rescorla): There are only a few things, so we can just make a few SCSV Martin: Already shipped, and is willing to live with the current limitations Ekr: Are we going to break IE if we support this? That would suck Andrei: Can live with the current draft Martin: Their numbers show the step-by-step is stupid Joe Salowey: Will be another WG LC on this More people mentioned other weird cases The question of doing a step-by-step downgrade or not (as mentioned in the above) has come up on the list too: http://www.ietf.org/mail-archive/web/tls/current/msg14579.html http://www.ietf.org/mail-archive/web/tls/current/msg14591.html http://www.ietf.org/mail-archive/web/tls/current/msg14596.html As discussed there, trying protocol version in non-consecutive order isn't strictly disallowed by or impossible with draft-ietf-tls-downgrade-scsv-02, although I personally do think that it is a bad tradeoff and doing a step-by-step downgrade is not stupid -- see also https://www.ietf.org/jabber/logs/tls/2014-11-13.html: [19:13:16] <https://www.ietf.org/jabber/logs/tls/2014-11-13.html#19:13:16.934945> <Bodo Moeller> MIC: If the server does not support the SCSV and you fall back by accident (network glitch), falling back to TLS 1.1 is better than to TLS 1.0. As mentioned before, the point of draft-ietf-tls-downgrade-scsv-02 is not to specify that or how clients should be doing fallbacks (ideally, there'd never be a need to), since this involves moving targets -- broken servers --, and all fallback connection attempts will be equally useless with servers that are current and correct. The point of this specification is to provide a simple and easy-to-deploy mechanism to help avoid downgrade attacks *if* clients choose to fall back to improve interoperability with broken servers. A detailed discussion of whether and how to fall back necessarily depends on the deployment status of legacy servers with a specific application protocol, and so is subject to change across space and time, and much more complex than would be appropriate for draft-ietf-tls-downgrade-scsv-02. The UTA WG is considering to create a BCP document on the fallback dance; see http://www.ietf.org/proceedings/91/minutes/minutes-91-uta for details. Bodo
- [TLS] 2nd WGLC: draft-ietf-tls-downgrade-scsv Sean Turner
- Re: [TLS] 2nd WGLC: draft-ietf-tls-downgrade-scsv Bodo Moeller
- Re: [TLS] 2nd WGLC: draft-ietf-tls-downgrade-scsv Brian Smith
- Re: [TLS] 2nd WGLC: draft-ietf-tls-downgrade-scsv Martin Thomson
- Re: [TLS] 2nd WGLC: draft-ietf-tls-downgrade-scsv Martin Rex
- Re: [TLS] 2nd WGLC: draft-ietf-tls-downgrade-scsv Brian Smith
- Re: [TLS] 2nd WGLC: draft-ietf-tls-downgrade-scsv Bodo Moeller
- Re: [TLS] 2nd WGLC: draft-ietf-tls-downgrade-scsv Bodo Moeller