Re: [TLS] What would be the point of removing signalling in TLS 1.3?
Bodo Moeller <bmoeller@acm.org> Thu, 26 November 2009 22:07 UTC
Return-Path: <SRS0=RRgI=HO=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 304333A6947 for <tls@core3.amsl.com>; Thu, 26 Nov 2009 14:07:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.215
X-Spam-Level:
X-Spam-Status: No, score=-102.215 tagged_above=-999 required=5 tests=[AWL=0.034, BAYES_00=-2.599, HELO_EQ_DE=0.35, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L6fYDY7yp8fp for <tls@core3.amsl.com>; Thu, 26 Nov 2009 14:07:41 -0800 (PST)
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by core3.amsl.com (Postfix) with ESMTP id 36E843A689E for <tls@ietf.org>; Thu, 26 Nov 2009 14:07:41 -0800 (PST)
Received: from bmoeller-macbookpro.fritz.box (77-57-208-242.dclient.hispeed.ch [77.57.208.242]) by mrelayeu.kundenserver.de (node=mreu0) with ESMTP (Nemesis) id 0LfWft-1Ny3bh46BN-00p3c6; Thu, 26 Nov 2009 23:07:34 +0100
From: Bodo Moeller <bmoeller@acm.org>
To: Marsh Ray <marsh@extendedsubset.com>
In-Reply-To: <4B0EF1AB.8050506@extendedsubset.com>
References: <C734A556.6B8A%stefan@aaa-sec.com> <4B0EF1AB.8050506@extendedsubset.com>
Message-Id: <6A2B0911-C59D-4A11-94FA-713E46E89488@acm.org>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Thu, 26 Nov 2009 23:07:32 +0100
X-Mailer: Apple Mail (2.936)
X-Provags-ID: V01U2FsdGVkX1/pA8jcZZSibM775wLGuk1pYUK5VcnUPi3bBmS R3UJvdor0i4soUXF1KteWUT8jF4jMLW2A5yGBj8qOH5fGw0Ktc 19l7DHdrQ69jijvmob3gg==
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] What would be the point of removing signalling in TLS 1.3?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Nov 2009 22:07:42 -0000
On Nov 26, 2009, at 10:22 PM, Marsh Ray wrote: > Stefan Santesson wrote: >> If you fix the Finished message calculation, making it immune to the >> renegotiation attack, and making it the standard Finished >> calculation for >> 1.3.... Then why would you need to signal that you are using the >> standard >> Finished calculation? > > So that clients and servers can be upgraded over a period of time > without causing interoperability problems. There are more than two ways how to treat signaling (how to signal that a new Finished computation should be used) with respect to future protocol versions, i.e., TLS 1.3 and later: - The specifications could mandate keeping the explicit signal even with TLS 1.3+. - The specifications could require an explicit signal only for those TLS 1.3+ implementations that do offer backwards compatibility with earlier protocol versions (i.e., if the *negotiated* protocol version is TLS 1.3 or later, that would imply that the new Finished computation should be used). - The specifications could require an explicit signal only for implementations that don't announce TLS 1.3+ (i.e., if the *requested* protocol version is TLS 1.3+, that would imply that the new Finished computation should be used). Stefan's proposal in the original message, it seems, was the third variant. David's comment suggested that because of the complexity that comes with that variant, we should stick to the first one (and always keep signaling). That's not implied, though. The second variant makes a lot of sense to me -- it's just not something that the current specification would or should have to say a final word on: that's best left to the TLS 1.3 specification. Bodo
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- [TLS] Avoiding first use of RI in ClientHello Eric Rescorla
- Re: [TLS] Avoiding first use of RI in ClientHello Stefan Santesson
- Re: [TLS] Avoiding first use of RI in ClientHello Dr Stephen Henson
- Re: [TLS] Avoiding first use of RI in ClientHello Robert Relyea
- Re: [TLS] Avoiding first use of RI in ClientHello Eric Rescorla
- Re: [TLS] Avoiding first use of RI in ClientHello Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Avoiding first use of RI in ClientHello peter.robinson
- Re: [TLS] Avoiding first use of RI in ClientHello Min Huang
- Re: [TLS] Verify data in the RI extension? Yoav Nir
- Re: [TLS] Avoiding first use of RI in ClientHello Pasi.Eronen
- Re: [TLS] Avoiding first use of RI in ClientHello Pasi.Eronen
- [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Avoiding first use of RI in ClientHello Eric Rescorla
- [TLS] Perhaps there's another way. Was: Verify da… Marsh Ray
- Re: [TLS] Perhaps there's another way. Was: Verif… Dr Stephen Henson
- Re: [TLS] Avoiding first use of RI in ClientHello Stefan Santesson
- [TLS] What would be the point of removing signall… David-Sarah Hopwood
- Re: [TLS] Perhaps there's another way. Was: Verif… Marsh Ray
- Re: [TLS] Perhaps there's another way. Was: Verif… Dr Stephen Henson
- Re: [TLS] What would be the point of removing sig… Stefan Santesson
- Re: [TLS] What would be the point of removing sig… Marsh Ray
- Re: [TLS] What would be the point of removing sig… Bodo Moeller
- Re: [TLS] Perhaps there's another way. Was: Verif… Nelson B Bolyard
- Re: [TLS] What would be the point of removing sig… Nelson B Bolyard
- Re: [TLS] What would be the point of removing sig… Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Verify data in the RI extension? Simon Josefsson
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Nikos Mavrogiannopoulos
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Avoiding first use of RI in ClientHello Bodo Moeller
- Re: [TLS] Verify data in the RI extension? Bodo Moeller
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] What would be the point of removing sig… David-Sarah Hopwood
- Re: [TLS] What would be the point of removing sig… David-Sarah Hopwood
- Re: [TLS] What would be the point of removing sig… David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] Verify data in the RI extension? David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] Verify data in the RI extension? David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? Bodo Moeller
- Re: [TLS] What would be the point of removing sig… Bodo Moeller
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] Verify data in the RI extension? David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? Marsh Ray
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Yoav Nir