IETF Logo Mail Archive

Re: [TLS] AES and SSLv3 (was Re: Unfortunate current practices for HTTP

Tim Dierks <tim@dierks.org> Wed, 19 January 2011 19:30 UTC

Return-Path: <tdierks@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 48ECB3A71AD for <tls@core3.amsl.com>; Wed, 19 Jan 2011 11:30:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level:
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9c8StgL6xav3 for <tls@core3.amsl.com>; Wed, 19 Jan 2011 11:30:29 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by core3.amsl.com (Postfix) with ESMTP id 2A4DB3A71A4 for <tls@ietf.org>; Wed, 19 Jan 2011 11:30:29 -0800 (PST)
Received: by iyi42 with SMTP id 42so1221232iyi.31 for <tls@ietf.org>; Wed, 19 Jan 2011 11:33:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:in-reply-to:references:from :date:x-google-sender-auth:message-id:subject:to:cc:content-type; bh=bvSmWeZMKfPhiS1+PX58JZi2JImJ7JCM/UGXi1ztQf8=; b=ScaX4GCaHFIZJ9tTPcUEpDzrNSsIn+JvCn6wVOrI7rwsZMqFq+pmhQsKHD93kmavyY psTuyy/vhu7kBXVr8X92Uv53pTVG4O1mlhk76+Dc+pYZN5cM5eyqNnZNqvcbeLgLfHBq TffUfwzFJeoQGziM6ZN7pu5CO8ANjWL0UaJ5w=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; b=CS8woIYpAZtepTOFEZAX9tI6706wwGmYRp8Npw9jkC50hVYoghP36TQN18Zb0Wk6IB ntzoFVz6ePDBfPo+J+wytT4MagfQIK6RDJUzsR2mMShKCAcewDZd03Qa1UeFuRIUXtEe jAzTPJHCw4JRT4j3Lq3RpXboen4S6I8NHfLQE=
Received: by 10.231.39.67 with SMTP id f3mr1349313ibe.42.1295465566837; Wed, 19 Jan 2011 11:32:46 -0800 (PST)
MIME-Version: 1.0
Sender: tdierks@gmail.com
Received: by 10.231.59.200 with HTTP; Wed, 19 Jan 2011 11:32:26 -0800 (PST)
In-Reply-To: <201101191907.p0JJ723Z018557@fs4113.wdf.sap.corp>
References: <AANLkTikmrBGeBESXjkdZP4D7EA6Xoa=-+XpLbz2yFkSS@mail.gmail.com> <201101191907.p0JJ723Z018557@fs4113.wdf.sap.corp>
From: Tim Dierks <tim@dierks.org>
Date: Wed, 19 Jan 2011 14:32:26 -0500
X-Google-Sender-Auth: PfTcNNSxpyVG79_6eFS8SfXgWwM
Message-ID: <AANLkTi=UNkDRGHs3n3+UP0t4iQFpVk3Y2froctzo-DOP@mail.gmail.com>
To: mrex@sap.com
Content-Type: multipart/alternative; boundary="00032557635aee1c4a049a38149c"
Cc: tls@ietf.org
Subject: Re: [TLS] AES and SSLv3 (was Re: Unfortunate current practices for HTTP
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jan 2011 19:30:30 -0000

On Wed, Jan 19, 2011 at 2:07 PM, Martin Rex <mrex@sap.com> wrote:

> Tim Dierks wrote:
> >
> > He asserted SSL3/AES was not valid, but he didn't explain his rationale.
> >
> > Given that there is no standards-body ownership of SSL3, the correctness
> of
> > AES ciphersuites is a moot point. However, Postel's robustness principle
> > would tend to indicate that when a server selects such a ciphersuite, it
> > would be best for a client to play along, correct or not. I can't
> > immediately see any security reason why you'd be willing to negotiate
> SSL3,
> > but turn up your nose at an insufficiently blessed AES ciphersuite.
>
> I assume you're the one listed as "Tim Dirks, Consensus Development"  :)
>
>  as (co)author on the right top here:
>        http://tools.ietf.org/html/rfc2246
>  and potentially involved in the cipher suite interim registration here:
>        http://tools.ietf.org/html/draft-ietf-tls-protocol-02#page-51


"Dierks", but yes, that's no coincidence.


> The definition of cipher suites in the design of SSL and TLS is
> mostly orthogonal to the protocol version, and the change control
> was over the cipher suite registry was undoubtedly transferred
> to the TLS.  If cipher suites had ever been conceived to be
> protocol-version-specific, they would have partitioned the
> cipher suite code points.
>
> Quite obviously, the cipher suite registry was _NOT_ partitioned
> for TLSv1.0.  cipher suites were issued with no distinction whatsoever,
> so they were clearly meant to apply in a protocol-version-independent
> fashion, forwards and backwards.
>

I think I'm in a position of authority to say that we didn't seriously
consider the issue and there was no intention one way or the other about
whether newly-defined ciphersuites were valid in SSLv3 or not. Overlaps
needed to be excluded to avoid negotiation issues, but other than that, the
issue wasn't considered. That's why I say that arguments about what is
"correct" or not are really moot, because there's no actual standard that
specifies one way or the other.

 - Tim

v2.23.0 | Report a Bug | By Email