Re: [TLS] I-D Action: draft-ietf-tls-downgrade-scsv-03.txt
Martin Thomson <martin.thomson@gmail.com> Tue, 16 December 2014 00:49 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 956801A6ED8 for <tls@ietfa.amsl.com>; Mon, 15 Dec 2014 16:49:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bavzhLG8_o00 for <tls@ietfa.amsl.com>; Mon, 15 Dec 2014 16:48:59 -0800 (PST)
Received: from mail-ob0-x232.google.com (mail-ob0-x232.google.com [IPv6:2607:f8b0:4003:c01::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3ACCF1A0364 for <tls@ietf.org>; Mon, 15 Dec 2014 16:48:59 -0800 (PST)
Received: by mail-ob0-f178.google.com with SMTP id gq1so20585425obb.9 for <tls@ietf.org>; Mon, 15 Dec 2014 16:48:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=12U/T2blHTq7zEkWan+9B6BIt9Y9zdY5NL9KkkehChw=; b=yekdfBp5yUG3su34mmWDyux2Hq49EuZ6ZRGlgXYM1ZR/SJjd3n8jGGTPy5xDrRoUvf Grd7CRxuUkH40UShyg6QIG0x3Z0K34YD/HY2V4xUqKqCGyYXZLXKdWDKot3g8AY/W+7S CDGcDjcmZQ252mbl6Yi3bfQNXu2kh1l/Xn2Na/YbpzwlBuIY6bK/ACSBXVKgxKD3E1op 1hvq4hxOWpk8/8t9gBikIstmLRqjD8/mJJDTnAu21Sx1u8nYVjuBmYE7Ruu+L0czcsQC uu5cyrNRDLLXjArQPx6Nj1J6v2jEMdm6S+sqTj8eH2O0NlsuNEWhVYEHzVuRwyjeOXkF AXVw==
MIME-Version: 1.0
X-Received: by 10.182.16.138 with SMTP id g10mr20656392obd.85.1418690938550; Mon, 15 Dec 2014 16:48:58 -0800 (PST)
Received: by 10.202.49.203 with HTTP; Mon, 15 Dec 2014 16:48:58 -0800 (PST)
In-Reply-To: <CAH8yC8nmrVKyz+v3EJgX48c00xqGzG1fq=ryc0aNP-vY28cKMw@mail.gmail.com>
References: <20141215214116.159171B085@ld9781.wdf.sap.corp> <548F56C8.70104@fifthhorseman.net> <CAH8yC8nmrVKyz+v3EJgX48c00xqGzG1fq=ryc0aNP-vY28cKMw@mail.gmail.com>
Date: Mon, 15 Dec 2014 16:48:58 -0800
Message-ID: <CABkgnnUJdHQnN-3J_ah4RsW81=ShTqoAYn5yRZ92nnq6Ksy4Pg@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: noloader@gmail.com
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/TXllcyLx_OsMD0Q5HXsTY-2kqYc
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-downgrade-scsv-03.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Dec 2014 00:49:00 -0000
On 15 December 2014 at 16:42, Jeffrey Walton <noloader@gmail.com> wrote: > If browsers and other software want to downgrade in an insecure > fashion, then they are on their own. Don't placate them in their > efforts and weaken the system for everyone else. That's kinda the point of the draft. Let the server know so it has a choice in the matter. Browsers, as clients, have a choice about what TLS version they are willing to tolerate. With fallback, they signal that they are willing to speak to servers and only opportunistically reach the highest common version. That's weaker than the guarantee that TLS can provide, but it is their choice to do that. You can (and have) noted that this has drawbacks and maybe jump up and down in the hopes that this will change something. But it's not like the choice is made in a vacuum. Personally, I'm more concerned about the use of CBC modes than I am about version downgrades in the current environment.
- [TLS] I-D Action: draft-ietf-tls-downgrade-scsv-0… internet-drafts
- Re: [TLS] I-D Action: draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] I-D Action: draft-ietf-tls-downgrade-sc… Daniel Kahn Gillmor
- Re: [TLS] I-D Action: draft-ietf-tls-downgrade-sc… Jeffrey Walton
- Re: [TLS] I-D Action: draft-ietf-tls-downgrade-sc… Martin Thomson
- Re: [TLS] I-D Action: draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] I-D Action: draft-ietf-tls-downgrade-sc… Yuhong Bao