IETF Logo Mail Archive

Re: [TLS] PR for anti-downgrade mechanism

Christian Huitema <huitema@microsoft.com> Tue, 10 November 2015 00:41 UTC

Return-Path: <huitema@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B94721B29EA for <tls@ietfa.amsl.com>; Mon, 9 Nov 2015 16:41:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sa5-ybDwC82e for <tls@ietfa.amsl.com>; Mon, 9 Nov 2015 16:41:39 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0728.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::728]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4487A1B29E9 for <tls@ietf.org>; Mon, 9 Nov 2015 16:41:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Anc5iSbuu+GmHH066raZHld0XxoUKtLL8N1rJJvPjNU=; b=Jv6lO0p0xahlF2mvZydp4/5rx2CqfwEREHbsjOiFX/fsqoEUBR1hqqZxSiY7wFsvopbMXTD2EkZhcPfxx8kkwbhtj1IvPrqwsefnH82a4mWxUsr0Tkl0P7tmFOQ/MjONgrD1kZZ5JH6GfKzHCjKIyduPSxwdqzfZyA5zu/yw3CI=
Received: from DM2PR0301MB0655.namprd03.prod.outlook.com (10.160.96.17) by DM2PR0301MB0653.namprd03.prod.outlook.com (10.160.96.15) with Microsoft SMTP Server (TLS) id 15.1.318.15; Tue, 10 Nov 2015 00:41:34 +0000
Received: from DM2PR0301MB0655.namprd03.prod.outlook.com ([10.160.96.17]) by DM2PR0301MB0655.namprd03.prod.outlook.com ([10.160.96.17]) with mapi id 15.01.0318.003; Tue, 10 Nov 2015 00:41:34 +0000
From: Christian Huitema <huitema@microsoft.com>
To: Eric Rescorla <ekr@rtfm.com>
Thread-Topic: [TLS] PR for anti-downgrade mechanism
Thread-Index: AQHRAo2XH3FLVO3qjUqf9pv0XfX2g55jwgYAgAAnWQCACqFpAIAAC9CAgAAJyQCAABn0AIAABjIAgACDCoCAAMyMgIAABv+AgAAA0ACAAAHkAIAAIPYAgAACZICAAATsAIAABXSAgAADTwCAAAEugIAAAhuAgAAAuACAAAv4AIACl4gAgAAIlACAACCMAIAhctoAgAAD/tCAAAeaAIAAAKgg
Date: Tue, 10 Nov 2015 00:41:34 +0000
Message-ID: <DM2PR0301MB065557FA191E0256A2E6BD27A8140@DM2PR0301MB0655.namprd03.prod.outlook.com>
References: <CABcZeBOB9mnQ8bLOCSysnx9LMv0hxrPCA21jTnxAMb3Yom_Aow@mail.gmail.com> <201510171708.16547.davemgarrett@gmail.com> <CABcZeBOzJkdjC-NnjPcHtoU_6rmEMPqj4Y7xKuA=CHZLT9r49w@mail.gmail.com> <201510171734.26589.davemgarrett@gmail.com> <CABcZeBNFvUN6KOpzGO5_tPU9dqbJ8q=k_CaqmkjeCR_hS2RCOg@mail.gmail.com> <20151017220548.GF15070@mournblade.imrryr.org> <CABcZeBPhmq+0k8gVs9FcZ6T-_SehqrWkL0BzkB5z8=DgXy1Saw@mail.gmail.com> <20151017221733.GG15070@mournblade.imrryr.org> <CABcZeBOew4DTOzj1Q=G9_o87SjH-hF85VWmz1U38P1WedjkuYg@mail.gmail.com> <20151017230257.GI15070@mournblade.imrryr.org> <84C5B67D-F236-4BFD-AA13-5CC13062B8C5@akamai.com> <CABcZeBMn9=H3A2EpQonB1rM5ApZ68hzdNHRQf6NOU+7C6_iiiA@mail.gmail.com> <CABkgnnVRO56392s068xeB_Lnn6qoVu_MBbwWRcKe=p8YPQ2RUw@mail.gmail.com> <CABcZeBNKetQrBbKR3pSOawg_OyTa8cHsHXjuAUq4Yu4F2d0tcA@mail.gmail.com> <DM2PR0301MB0655C9C3CD6063C093364C04A8140@DM2PR0301MB0655.namprd03.prod.outlook.com> <CABcZeBNsxdKStRTT6EGJ7f0W=1tD1fAqsiL84OECvRbJsFGC1Q@mail.gmail.com>
In-Reply-To: <CABcZeBNsxdKStRTT6EGJ7f0W=1tD1fAqsiL84OECvRbJsFGC1Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=huitema@microsoft.com;
x-originating-ip: [131.107.174.75]
x-microsoft-exchange-diagnostics: 1; DM2PR0301MB0653; 5:0lPR02QbMcA1sFCPwIqhg5QBTguga+EGp8AEB7rkyMWE5O9se5EOWPYHr7tTIn9gPvz1uLFqBhuFes2C2ymqTxE3qV+zjrsqopVO0MTmuyX+VOQt6lu3lN4fe+3lwK2ySdYzdhg/Kbw2AhnnfDMWeg==; 24:fWDqiN0apjkUSmOeC9ix+ICQbjFF0PMsxZvZMc4snU30Xcf9ht1TU/Eouo4yRT3ycJ96ewh9BFgSxz3inVXAAhRF3mtSejVMaTGNLCQnR4w=; 20:QLQnGPqJmJNKwjVspxq4MZHuhBC9WKZeixfdDSQiKFaoXNZIWGTAXJe8+YTn9eJ1dkuaxckVnA3eBdVbfB32Dg==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR0301MB0653;
x-o365eop-header: O365_EOP: Allow for Unauthenticated Relay
x-o365ent-eop-header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
x-microsoft-antispam-prvs: <DM2PR0301MB065310BB9FE1CA030FA55FDEA8140@DM2PR0301MB0653.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(108003899814671);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425024)(601004)(2401047)(8121501046)(520078)(5005006)(10201501046)(3002001)(61426024)(61427024); SRVR:DM2PR0301MB0653; BCL:0; PCL:0; RULEID:; SRVR:DM2PR0301MB0653;
x-forefront-prvs: 07562C22DA
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(377454003)(199003)(189002)(24454002)(86362001)(19580395003)(77096005)(66066001)(87936001)(122556002)(86612001)(2900100001)(102836002)(74316001)(2950100001)(92566002)(19580405001)(110136002)(76576001)(5001960100002)(10090500001)(40100003)(11100500001)(97736004)(105586002)(10290500002)(10400500002)(106116001)(8990500004)(99286002)(93886004)(5003600100002)(189998001)(5008740100001)(5004730100002)(5007970100001)(5001920100001)(81156007)(76176999)(54356999)(5005710100001)(33656002)(50986999)(106356001)(101416001)(5002640100001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0301MB0653; H:DM2PR0301MB0655.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Nov 2015 00:41:34.3102 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0301MB0653
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/WCUkUjZsBbghBw2FTJNUvqWfJwY>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] PR for anti-downgrade mechanism
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2015 00:41:43 -0000

On Monday, November 9, 2015 4:34 PM, Eric Rescorla wrote:

> On Mon, Nov 9, 2015 at 4:30 PM, Christian Huitema <huitema@microsoft.com> wrote:
>
>...
>> Editorial: your proposed text says "...MUST set the first six  bytes of its Random value 
>> to the the bytes 44 4F 57 4E 47 52 44 01." I assume you mean the first 8 bytes, and that 
>> you do not really want to have "the" twice.
>
> Fixed.

Thanks

>> Could you also add a reference to the document that specifies using 44 4F  57 4E 47 52 
>> 44 00 by "TLS 1.2 servers which are  negotiating TLS 1.1 or below" ?
>
> We don't have one. Wasn't totally sure how to handle that.

I suspected that. Spent sometimes looking for text in published RFC, could not find it. I suspect that many readers will fall in the same trap and lose some time. Could you add text explaining that this is an undocumented feature of some implementations, and that we are recommending its use? Or something to that effect...

-- Christian Huitema

v2.23.0 | Report a Bug | By Email