IETF Logo Mail Archive

Re: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv

Adam Langley <agl@google.com> Tue, 28 January 2014 20:43 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E67C1A0469 for <tls@ietfa.amsl.com>; Tue, 28 Jan 2014 12:43:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.914
X-Spam-Level:
X-Spam-Status: No, score=-1.914 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9HHZmQSrK4Ar for <tls@ietfa.amsl.com>; Tue, 28 Jan 2014 12:43:53 -0800 (PST)
Received: from mail-ob0-x22a.google.com (mail-ob0-x22a.google.com [IPv6:2607:f8b0:4003:c01::22a]) by ietfa.amsl.com (Postfix) with ESMTP id 3BBFA1A0475 for <tls@ietf.org>; Tue, 28 Jan 2014 12:43:53 -0800 (PST)
Received: by mail-ob0-f170.google.com with SMTP id va2so1003145obc.15 for <tls@ietf.org>; Tue, 28 Jan 2014 12:43:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=xOszUX58xNxUSgOLWpT9WxUkPED+9FrArvHZ5VscvUc=; b=c2yaoMQJ4BCYASuN7m8qiCZftqtMwqy0ZgRVTtfuU7rbZIy2rpQPpmDcBwTXLAR9vf tS8WGGa8VUzFu8LXLRR4ZIT/iQUBPlmQVsZOwR4wEg/ZzcXalO2meVzTYp4EaCnoRymn HPuhSLO30VNZiThJ92MD5fqVJraIUczN7dlk7CdInhk97iVreAlHCpj/69yxRXGE/dkD GJLilyplB2pPuffE2GqSA4lJsgACY0jMhoX2icxxByB21RU8tNlVobKACjmhEsvfLosf Va7zpI8AOcKIt52YnslCo5ocJqDHRKOEC7EMQl9NnVgACGi6r5HDFbtd+sQB+TyzAq+V bM+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=xOszUX58xNxUSgOLWpT9WxUkPED+9FrArvHZ5VscvUc=; b=BFmhKqwpoyeV/SJsWSog8P0nTo4kz1M/++wUcI0fG9HUiOMD81VfIAw1VBb0Bfl/tO exmI3uZI/ooFgdfe2HAdQJlHru1wPIjr0M4VXhLEAKRb90tym5DSBakJL7H3N0NzbdSo II393xv1yrpfJGU39ItOejzWMox5cdXoeYHbXe1aJuynn19fa+1bApuzOBtLZO4bCzGM Zo8E31hm4Y41sUHGtX7ZFR4uapKUhlx6BAS6b6xZ6kS50NkFyhb1Vsn9zbJDLXbbF36a kZseWfwOX6FqMSYju8eGabdYtNL3Y6AztkpcRNWjhVoygfKaD2VMZ3u7rn62bFIdx7eD DhKw==
X-Gm-Message-State: ALoCoQnZKkKm6B+xbTqsJXP98/hiLkWlMVqIPSpC3uXhEJIAmLLTXA5idfi9KXuRnlznrfD6JmX83rcMPYfV2o8I8P56USmc7gOZtq16Uz6aICKq0B8iIukJc8ZIDSMB6rZTlmilk4Pfdeg+tv407RFTPSGs5cv/KU4dRydi4Ixa9SGVXhnRNzMqAGZmbPLLA8Ec8smhxYJY
X-Received: by 10.60.132.107 with SMTP id ot11mr2741545oeb.8.1390941830516; Tue, 28 Jan 2014 12:43:50 -0800 (PST)
MIME-Version: 1.0
Received: by 10.182.79.105 with HTTP; Tue, 28 Jan 2014 12:43:30 -0800 (PST)
In-Reply-To: <CACsn0ckEB5yeKg043HbDr7QsU8HDY_b2+ywY_-nkd2EPXM7tBA@mail.gmail.com>
References: <CADMpkcJ4viFwzU9u0uP41Niaopja8PZFowjOALVr3VA1vJ7Uow@mail.gmail.com> <20140128001737.D9D581ABC9@ld9781.wdf.sap.corp> <828b043cac0f4b62875d00f31d2f92e3@BL2PR03MB419.namprd03.prod.outlook.com> <CAL9PXLxDWUMUq5rJXCHYaFRqX6rYfczN8gJaBRJa=pbkH4YWSA@mail.gmail.com> <a840133f75d0426898462ccef739861f@BL2PR03MB419.namprd03.prod.outlook.com> <ED6ED7E4-3E0C-41B9-A8B3-16C676BCAFAD@checkpoint.com> <062f690386314652b30aa8247ec18c0c@BL2PR03MB419.namprd03.prod.outlook.com> <CAL9PXLyJPi-jJpAR_Zmx84CkhE9ga6jPbr4X8d2xqv5aUwegRw@mail.gmail.com> <CACsn0ckEB5yeKg043HbDr7QsU8HDY_b2+ywY_-nkd2EPXM7tBA@mail.gmail.com>
From: Adam Langley <agl@google.com>
Date: Tue, 28 Jan 2014 15:43:30 -0500
Message-ID: <CAL9PXLxTY5-EgLUkVFsuw126sUar503nH+gYjb546ArHgm=QQw@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2014 20:43:54 -0000

On Tue, Jan 28, 2014 at 3:38 PM, Watson Ladd <watsonbladd@gmail.com> wrote:
> No, that isn't the concern Mr. Popov expresses. The concern is that
> the TLS 1.2 supporting server thinks it supports TLS 1.2 but actually
> doesn't. Then the fallback to TLS 1.0 fails, instead of succeeds,
> because it's a fallback that is unnecessary according to the server.

Ah, I see.

It's certainly possible that clients that are currently doing a
fallback because of a middle box will stop working because of this
SCSV, yes. It won't be clear how big a problem this is until Chrome 33
rolls out.

If we get a good population of clients with this SCSV however, servers
that add support for it and need fallbacks should find any problems in
testing.

There might be areas of TLS 1.2 that the population of SCSV-enabled
clients don't test and bad servers could grow in that space. That's
also the case today.


Cheers

AGL

v2.23.0 | Report a Bug | By Email