Re: [TLS] Heartbleed / protocol complexity
Watson Ladd <watsonbladd@gmail.com> Thu, 10 April 2014 01:44 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C99061A064A for <tls@ietfa.amsl.com>; Wed, 9 Apr 2014 18:44:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_38=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xWJpg4D4LfNx for <tls@ietfa.amsl.com>; Wed, 9 Apr 2014 18:44:39 -0700 (PDT)
Received: from mail-yk0-x22b.google.com (mail-yk0-x22b.google.com [IPv6:2607:f8b0:4002:c07::22b]) by ietfa.amsl.com (Postfix) with ESMTP id E96201A0479 for <tls@ietf.org>; Wed, 9 Apr 2014 18:44:38 -0700 (PDT)
Received: by mail-yk0-f171.google.com with SMTP id q9so2955089ykb.2 for <tls@ietf.org>; Wed, 09 Apr 2014 18:44:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=x8yT9CumusPXe/gQHKVJWgCscN1OalbcGrOpNhmtz+A=; b=tEWUjt9HtysZOxlatIxXcIWhkMnR+WDMO+itdpLGRfADiiXyfh4ovB4yj/zO0mcOwu SfTUSLJpLS0IhcDVot9ucMVnZvdd1dibNWW0bMjqAdiJA+wvoUjwj4zF1lmVuo7VP6aE A4sagubGfe2H9SDrvn+Z7rhsyJuysRv/d2ynBcujYddOMwdQ7HXBiJoB4mKNOBtvzpQo h/niABvif+Q+lKkHPSIHvfIfpxodbrM02YeqnbUuYqd48oWhjZh+3FBT/NTLKrNY3TfL IJ6ToCFW1xkNJ0MDa0YmdwOsapNvsxHfLEbC8KghtEHPqemKHaXHe+XTLBxIyezUKqD8 4Z9g==
MIME-Version: 1.0
X-Received: by 10.236.94.197 with SMTP id n45mr18919903yhf.46.1397094278262; Wed, 09 Apr 2014 18:44:38 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Wed, 9 Apr 2014 18:44:38 -0700 (PDT)
In-Reply-To: <CAK3OfOjvXtzs-o=HbbK_wqZJkjWpozcqQrqdY-ndT-Yu1cyvYg@mail.gmail.com>
References: <20140409232505.0d6e02b8@hboeck.de> <CAK3OfOju4PB_T+W4ECkLjs0bERFmxs+xQGX=8JMDwArvo0st_Q@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120AC190A0@USMBX1.msg.corp.akamai.com> <CAK3OfOjvXtzs-o=HbbK_wqZJkjWpozcqQrqdY-ndT-Yu1cyvYg@mail.gmail.com>
Date: Wed, 09 Apr 2014 18:44:38 -0700
Message-ID: <CACsn0cn_gywhdMhNxjkS+mKo=37L87NFTy73kbTBzUmMS3CBDw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Nico Williams <nico@cryptonector.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/U_k4TXI826BvuyChvPSfKef4uJ0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Heartbleed / protocol complexity
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Apr 2014 01:44:40 -0000
On Wed, Apr 9, 2014 at 4:06 PM, Nico Williams <nico@cryptonector.com> wrote: > On Wed, Apr 9, 2014 at 5:42 PM, Salz, Rich <rsalz@akamai.com> wrote: >>> TLS has an ad-hoc IDL and encoding, and it IIUC doesn't adhere to its own conventions tightly enough that we could now standardize a compatible IDL+encoding and develop tooling for it. >> >> I wrote a parser for "TLS IDL" and posted it to the list. There are a handful of corrections that need to be made in order for the definitions to match the defined syntax. The biggest one being "ASN.1Cert" looks like a field name, not a type. The posts are in the archives, if anyone cares. I'll mail the code to anyone who cares. > > That's great news. Can you say anything about my "IIUC" above? Parsing an IDL isn't the problem. The problem is developing a validated parser generator for the language which the IDL expresses. The further problem is that the semantics of the Hello messages are extremely ugly. Peter Gutmann compared it to ordering from a Chinese menu at one point when discussing ECC ciphersuites, and I don't think that's the only extension with that property. Even if you succeed in parsing, the extensibility of TLS is (largely) ridiculous. Security protocols and their implementations are part of the TCB. They need to be simple. Sincerely, Watson Ladd -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [TLS] Heartbleed / protocol complexity Hanno Böck
- Re: [TLS] Heartbleed / protocol complexity Martin Thomson
- Re: [TLS] Heartbleed / protocol complexity Nico Williams
- Re: [TLS] Heartbleed / protocol complexity Salz, Rich
- Re: [TLS] Heartbleed / protocol complexity Geoffrey Keating
- Re: [TLS] Heartbleed / protocol complexity Nico Williams
- Re: [TLS] Heartbleed / protocol complexity Nico Williams
- Re: [TLS] Heartbleed / protocol complexity Salz, Rich
- Re: [TLS] Heartbleed / protocol complexity Watson Ladd
- Re: [TLS] Heartbleed / protocol complexity Manger, James
- Re: [TLS] Heartbleed / protocol complexity Nikos Mavrogiannopoulos
- Re: [TLS] Heartbleed / protocol complexity Hannes Tschofenig
- Re: [TLS] Heartbleed / protocol complexity Dan Brown
- Re: [TLS] Heartbleed / protocol complexity Watson Ladd
- Re: [TLS] Heartbleed / protocol complexity Hanno Böck
- Re: [TLS] Heartbleed / protocol complexity Martin Rex
- Re: [TLS] Heartbleed / protocol complexity Nico Williams
- Re: [TLS] Heartbleed / protocol complexity Patrick Pelletier
- Re: [TLS] Heartbleed / protocol complexity Bill Frantz