[TLS] Obsoleting SCSV in draft-ietf-tls-oldversions-deprecate

Yaron Sheffer <yaronf.ietf@gmail.com> Tue, 10 November 2020 18:41 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 393A23A0E45 for <tls@ietfa.amsl.com>; Tue, 10 Nov 2020 10:41:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pR6W1XSEPVkm for <tls@ietfa.amsl.com>; Tue, 10 Nov 2020 10:41:03 -0800 (PST)
Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [IPv6:2a00:1450:4864:20::62c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB5F63A0E3A for <tls@ietf.org>; Tue, 10 Nov 2020 10:41:02 -0800 (PST)
Received: by mail-ej1-x62c.google.com with SMTP id dk16so19034809ejb.12 for <tls@ietf.org>; Tue, 10 Nov 2020 10:41:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :mime-version:content-transfer-encoding; bh=9ptgDVoxgm1kAExB71OVR5e8tyarhAUopo3LBVGF4ko=; b=h/9tr4CgnZJ3erJpTe6qAn9r06gkG9/4LZmmHB43uw+XXsaeg4kjxOx/M4lmyOzK/Z Rzm2brPrMEKS7ZmqwlfdYuFYw01PwprA9nIcDRsTKZDLR6fOoqtIC2VZkn0dG61ER8uO vz+5yOG459iTj3aj+0a1aY3KZPBz7NRI9zM/kITRsPOhNpZE5bnh8y7J8NSZ1390dAL8 qAjTGj30oMVA9qmesPom6s/sBuNIk5EWwH0hqsfw5IgNbZ0LP4QvQhs5TBANh1SxfgqM 8qy1gKsBTgRZJ2yxRcq3xDPFuKM+MSdiSy0oY1o/ZC40QmEGXO1QFv9Yhqj/F6AhUeAL Dgbw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:mime-version:content-transfer-encoding; bh=9ptgDVoxgm1kAExB71OVR5e8tyarhAUopo3LBVGF4ko=; b=uh4HcykcY19wtXAFm5KZxiXiMWtvTzFJVVgtdGrhZ/SZ46xPVvHbe33+WqyJA5eu1L hsbFOMAWgURsNqKm/Vj1eDViOIVi9qquG5fng7uV9PQqCljs97JOXo2fbogA81sEPRSz bMS+hoEfhFwwZnFSfcC1EhY53QqBKADT80pdS1vdQazY+iLWBNaffT+Vr3qHmXtJVWBv ZxBB55XahdHzaKMFAIbLeVQRvVE1Rxu5kxoxc7jGFa0ptLr9+k6EJng4iQ79alloukK2 WYhHE7ZrpJxVSx8dkrYUVUTM7wOzlFOfqUj/OFwZj0vWDwKlZ/XMmdt9WWRV/VBJHcsf jJWA==
X-Gm-Message-State: AOAM530pNEVT1D0QRm2j1NZpIl/yvyKKdiyb818TNB3AZysN1BVGvfCQ 0AIiKOt6axsqymwa2EYTW8+SwQ66kQDaqQ==
X-Google-Smtp-Source: ABdhPJywO54vN05kZ7l4g1vGIbgpauFDM0aZ+dfWQw+UuksCBB6r19zJC7wA91ZLhfx1Bfl40zoNhA==
X-Received: by 2002:a17:906:8398:: with SMTP id p24mr22075281ejx.401.1605033660849; Tue, 10 Nov 2020 10:41:00 -0800 (PST)
Received: from [172.26.49.35] (pub-corp-42-8.intuit.com. [91.102.42.8]) by smtp.gmail.com with ESMTPSA id h22sm6625750ejt.21.2020.11.10.10.40.58 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 10 Nov 2020 10:41:00 -0800 (PST)
User-Agent: Microsoft-MacOutlook/16.42.20101102
Date: Tue, 10 Nov 2020 20:40:57 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Message-ID: <912FCE0F-65C4-487B-8121-748466BB2FB9@gmail.com>
Thread-Topic: Obsoleting SCSV in draft-ietf-tls-oldversions-deprecate
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/X0tNwPmzo2AdCO7aOXQOD1bdVrU>
Subject: [TLS] Obsoleting SCSV in draft-ietf-tls-oldversions-deprecate
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2020 18:41:04 -0000

Hi,

We are now revising RFC 7525 for the new world, and in general we are following this draft. So, MUST NOT negotiate TLS 1.0 and 1.1. This brought up the question of SCSV, which was new when RFC 7525 was published but has since been widely implemented/deployed.

I think marking the “oldversions” draft as “obsoletes RFC 7507 (SCSV)” is not great from an ecosystem point of view. People will interpret it as “no need to implement SCSV in new code, no need to expose it as a configuration option in existing code”. And we know that some admins will continue to allow downgrade to TLS 1.0/1.1 no matter what we tell them. IMO we should protect these people from downgrade attacks, even if we disagree with their policy.

So I would call for a more nuanced wording re: SCSV, something like (paraphrasing EKR):

In the world where the only valid values of TLS are 1.2 and 1.3+, the TLS 1.3 fallback mechanism should render the SCSV unnecessary. However for existing client and server implementations that still include support for earlier TLS versions, SCSV should continue to be supported.

Thanks,
	Yaron