Re: [TLS] Quest for Unified Solution to TLS Renegotiation

Michael D'Errico <mike-list@pobox.com> Thu, 26 November 2009 00:23 UTC

DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=BI5HmT 5Y7SHsYsBk4RmWvz3A/ypnrFNdNyg88zobjzoEU8CHz0t06dZ9yPBFnUMA22gx78 F1Eh+8Qx0ZPu5sa0hpZvkqCQNxllL07VPmCiAnkmkstriSTTcGOWlWLSprxsCE3m pn6f/Wr6uYXvT1/jLRjobsijognPHr0vHf3RM=
Message-ID: <4B0DCAE0.80907@pobox.com>
Date: Wed, 25 Nov 2009 16:25:04 -0800
From: Michael D'Errico <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: TLS Working Group <tls@ietf.org>
References: <4B0D9B94.9080205@pobox.com> <20091125225408.42FB96C3288@kilo.networkresonance.com> <4B0DBB97.5050500@pobox.com> <20091125232446.24F2A6C32B0@kilo.networkresonance.com>
In-Reply-To: <20091125232446.24F2A6C32B0@kilo.networkresonance.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] Quest for Unified Solution to TLS Renegotiation
Precedence: list

Eric Rescorla wrote:
> Michael D'Errico wrote:
>> The complaint I have about sending the verify_data over the wire is
>> that that alone does not plug the hole.  You need to take the extra
>> step to check that it's correct, and a maintenance programmer not
>> intimately familiar with TLS might miss this fact.
> 
> I don't find this argument very compelling. There are all sorts of
> ways to screw up your TLS implementation that are worse than this
> and are difficult/impossible to detect from the other side. E.g.,
> 
> - Weak randomness
> - Failure to check buffers leading to buffer overflows
> - Failure to check certs


My position is:  if we can avoid adding another one to this list,
then we should.

Mike



> TLS relies throughout on the assumption that the other side is
> implemented more or less correctly. If we can't count on that,
> we have bigger problems than this issue.
> 
> -Ekr

[TLS] Quest for Unified Solution to TLS Renegotia… Michael D'Errico
Re: [TLS] Quest for Unified Solution to TLS Reneg… Marsh Ray
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Stefan Santesson
Re: [TLS] Quest for Unified Solution to TLS Reneg… Eric Rescorla
Re: [TLS] Quest for Unified Solution to TLS Reneg… Hovav Shacham
Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
Re: [TLS] Quest for Unified Solution to TLS Reneg… Eric Rescorla
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Yoav Nir
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
Re: [TLS] Quest for Unified Solution to TLS Reneg… Marsh Ray
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… Stephen Farrell
Re: [TLS] Quest for Unified Solution to TLS Reneg… Yoav Nir
Re: [TLS] Quest for Unified Solution to TLS Reneg… Nelson B Bolyard
Re: [TLS] Quest for Unified Solution to TLS Reneg… Nelson B Bolyard
Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… Kyle Hamilton
Re: [TLS] Quest for Unified Solution to TLS Reneg… Eric Rescorla
Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood