IETF Logo Mail Archive

Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard

Dave Garrett <davemgarrett@gmail.com> Fri, 23 January 2015 00:19 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB0061A8A72 for <tls@ietfa.amsl.com>; Thu, 22 Jan 2015 16:19:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zmybbK1lWmIO for <tls@ietfa.amsl.com>; Thu, 22 Jan 2015 16:18:59 -0800 (PST)
Received: from mail-qa0-x22b.google.com (mail-qa0-x22b.google.com [IPv6:2607:f8b0:400d:c00::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DAB51A19F8 for <tls@ietf.org>; Thu, 22 Jan 2015 16:18:59 -0800 (PST)
Received: by mail-qa0-f43.google.com with SMTP id v10so3766524qac.2 for <tls@ietf.org>; Thu, 22 Jan 2015 16:18:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=eEp5tZV9TGzvafwpVGs9GEAzS5aGAvLqR0dGl6wA6TY=; b=U6oZrrozCzMrXN1aO+eEeUqeR+eliBrufRNPeZ9vD/njT0DR0jJynCwPRZXA8m9KnJ AmRXayr9HtsaNtJRDJRshAcRF2SXqpDvuErC5D2WgeL0rPh2xkuiJYQtlR0mewummWju STcY+Cpum9QgkICRR7RJn2BJRIeZiwFrzo6/6ke/QIxPEYSfoThIF5qL4buvzDeY56LE K+hxShf0sDlZ0Otkj2yNk5toeACVY8OJUwh0N7gM4KKP8ctjNpmRTPRtn7yKo317i+jC ULaJOyCsL/zBQ8cmYMvuBvCtEEarkJuvWOaUzewEtXyjxT25AMqCvXo1ZclhZSi0Fte2 lrMA==
X-Received: by 10.224.2.71 with SMTP id 7mr8653665qai.94.1421972338863; Thu, 22 Jan 2015 16:18:58 -0800 (PST)
Received: from dave-laptop.localnet ([96.245.56.59]) by mx.google.com with ESMTPSA id q78sm4800889qgq.5.2015.01.22.16.18.58 (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 22 Jan 2015 16:18:58 -0800 (PST)
From: Dave Garrett <davemgarrett@gmail.com>
To: tls@ietf.org
Date: Thu, 22 Jan 2015 19:18:56 -0500
User-Agent: KMail/1.13.5 (Linux/2.6.32-70-generic-pae; KDE/4.4.5; i686; ; )
References: <40128f312378442fbd26459bf5d7593b@usma1ex-dag1mb2.msg.corp.akamai.com> <39B8BC24-D539-456F-970B-B11665B0E892@gmail.com> <54C0B783.2060604@metaparadigm.com>
In-Reply-To: <54C0B783.2060604@metaparadigm.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Message-Id: <201501221918.56994.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/PonbGgcO1OZ2jWuGkGEDbETL7h0>
Subject: Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jan 2015 00:19:11 -0000

On Thursday, January 22, 2015 03:40:35 am Michael Clark wrote:
> = TLSv1.3 implementations could remove SSLv3.0 support such that
>   the minimum TLS record layer version for TLS 1.3 is 1.0 { 3, 1 }
>   instead of { 3, 0 } which is mentioned in the Appendix as a
>   "typical value" and the maximum "message layer" version a server
>   accepts is specified as { 3, XX }. A TLSv1.2 client could send
>   { 3, 1 } { 3, 3 } and a TLSv1.3 client would send { 3, 1 } { 3, 4 }
>   in its ClientHello to support TLSv1.0 through TLSv1.2/3. This accords
>   with protocol major/minor best practices for binary changes and
>   backwards compatibility. i.e. no binary incompatible changes in minor
>   versions. Just raise non-compliance with Appendix E.1 as a bug.
[...]
> The core issue is Appendix E does not make explicit a protocol version
> deprecation mechanism. It seems TLSv1.3 { 3, 4 } should specify a
> lower bound of { 3, 1 } for the record layer TLS version in the
> ClientHello as they are the same major version (in reality).
> The fact that SSLv3.0 has partial record layer binary compatibility
> is a red herring. We should notionally subtract { 2, 1 }.
> SSLv3.0 is past the used by date.

I have PRs to deal with this area in TLS 1.3 still pending a decision. The 
current version is the consensus from the previous discussion on the topic.

https://github.com/tlswg/tls13-spec/pull/105
https://github.com/tlswg/tls13-spec/pull/107

The changes are to prohibit SSL negotiation, drop SSL2 hello format 
documentation, freeze record layer hello version to 3.1, as well as other 
editorial improvements.

I haven't heard back from ekr in a couple weeks.


Dave

v2.23.0 | Report a Bug | By Email