Re: [TLS] Metadiscussion on changes in draft-ietf-tls-renegotiation

Martin Rex <mrex@sap.com> Thu, 28 January 2010 14:37 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 76A253A67AC; Thu, 28 Jan 2010 06:37:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.249
X-Spam-Level:
X-Spam-Status: No, score=-10.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JzVEo1xaedOE; Thu, 28 Jan 2010 06:37:10 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id D38D63A68E3; Thu, 28 Jan 2010 06:37:09 -0800 (PST)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id o0SEbPfj003515 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 28 Jan 2010 15:37:26 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201001281437.o0SEbOG9014103@fs4113.wdf.sap.corp>
To: Pasi.Eronen@nokia.com
Date: Thu, 28 Jan 2010 15:37:24 +0100 (MET)
In-Reply-To: <808FD6E27AD4884E94820BC333B2DB7758411DE69C@NOK-EUMSG-01.mgdnok.nokia.com> from "Pasi.Eronen@nokia.com" at Jan 28, 10 11:22:54 am
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal06
X-SAP: out
Cc: ietf@ietf.org, tls@ietf.org
Subject: Re: [TLS] Metadiscussion on changes in draft-ietf-tls-renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jan 2010 14:37:11 -0000

Pasi.Eronen@nokia.com wrote:
> 
> Martin Rex wrote:
> 
> > I have never seen an IETF AD fight so passionately for the
> > addition of rfc-2119-violating and unreasonable imperatives into
> > a document such as Pasi is doing it now.
> 
> "Now"? "Addition"? 
> 
> I would like to remind you that version -01 of the document also 
> very clearly prohibited sending the SCSV in secure renegotiation
> ClientHello, and also used upper-case RFC 2119 keywords in that text.


It could be that we are refering to different versions of -01,
the one on tools.ietf.org doesn't have a MUST NOT send, and in
particular, it does not have a MUST abort when received.

If you think that there an implied MUST NOT in there -- I can see
explicit MUSTs to the contrary in -01 and more so in -02!



What to send on renegotiations has been returned to the WG as a
discussion item, and that is also reflected by a pair of [TODO:]
items in the document.


-01 also has the following:

   5. Requirements for Sending and Receiving


   TLS clients which support this draft MUST generate either the
   "renegotiation_info" extension or the TLS_RENEGO_PROTECTION_REQUEST
   cipher suite with every ClientHello.

which is _NOT_ limited to *initial* ClientHellos.


and -02 goes even further:

   5. Requirements for Sending and Receiving


   TLS clients which support this specification MUST generate either the
   "renegotiation_info" extension or the TLS_RENEGO_PROTECTION_REQUEST
   SCSV with every ClientHello, including ClientHellos where session
   resumption is being offered.

   TLS servers MUST support both the "renegotiation_info" extension and
   the TLS_RENEGO_PROTECTION_REQUEST SCSV.  TLS servers which support
   this specification MUST generate the "renegotiation_info" extension
   in the ServerHello in response to any client which offers either
   "renegotiation_info" or TLS_RENEGO_PROTECTION_REQUEST in the
   ClientHello. 






These are all of the MUST & MUST NOTs in -01 on tools.ietf.org:


   Upon receipt of the "renegotiation_info" extension, both client and
   server implementations which support the extension MUST verify that
   it contains the correct contents as specified above.  If the contents
   are incorrect, then it MUST generate a fatal "handshake_failure"
   alert and terminate the connection.

   Servers MUST treat receipt of TLS_RENEGO_PROTECTION_REQUEST exactly
   as if the client had sent an empty "renegotiation_info" extension and
   respond with their own "renegotiation_info" extension.


                                                 TLS implementations
   MUST continue to comply with 7.4.1.4 for all other extensions.
   Servers MUST NOT select this cipher suite in any handshake, as it
   does not correspond to any valid set of algorithms.


                          Clients which do support renegotiation MUST
   implement Section 3 as well.


                 TLS servers which support this draft MUST generate the
   "renegotiation_info" extension in the ServerHello in response to any
   client which offers either "renegotiation_info" or
   TLS_RENEGO_PROTECTION_REQUEST in the ClientHello.

   Existing implementations which do not support this extension are
   widely deployed and in general must interoperate with newer
   implementations which do support it. 


   If clients wish to ensure that such attacks are impossible, they MUST
   terminate the connection immediately upon failure to receive the
   extension without completing the handshake. 

   If servers wish to ensure that such attacks are impossible they MUST
   NOT allow clients who do not offer the "renegotiation_info" extension
   to renegotiate with them 


   By default, TLS implementations conforming to this document MUST
   verify that once the peer has been identified and authenticated
   within the TLS handshake, the identity does not change on subsequent
   renegotiations.  For certificate based cipher suites, this means
   bitwise equality of the end-entity certificate.  If the other end
   attempts to authenticate with a different identity, the renegotiation
   MUST fail.  If the server_name extension is used, it MUST NOT change
   when doing renegotiation.



-Martin