Re: [TLS] Deployment ... Re: This working group has failed

Mark Nottingham <mnot@mnot.net> Sun, 17 November 2013 20:26 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9621611E81A8 for <tls@ietfa.amsl.com>; Sun, 17 Nov 2013 12:26:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id notYHoUWQeNs for <tls@ietfa.amsl.com>; Sun, 17 Nov 2013 12:25:57 -0800 (PST)
Received: from mxout-08.mxes.net (mxout-08.mxes.net [216.86.168.183]) by ietfa.amsl.com (Postfix) with ESMTP id 6210011E821C for <tls@ietf.org>; Sun, 17 Nov 2013 12:25:10 -0800 (PST)
Received: from [192.168.1.72] (unknown [118.209.179.170]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id B03F5509B8; Sun, 17 Nov 2013 15:25:04 -0500 (EST)
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <11586138-5410-404B-905F-CEA1DEBF6DE1@checkpoint.com>
Date: Mon, 18 Nov 2013 07:24:59 +1100
Content-Transfer-Encoding: quoted-printable
Message-Id: <48FED074-6468-42E7-9B63-7895DC17D916@mnot.net>
References: <CACsn0c=i2NX2CZ=Md2X+WM=RM8jAysaenz6oCxmoPt+LC5wvjA@mail.gmail.com> <52874576.9000708@gmx.net> <5287B4F6.1060102@defuse.ca> <52889ACF.3050302@gmx.net> <11586138-5410-404B-905F-CEA1DEBF6DE1@checkpoint.com>
To: Yoav Nir <ynir@checkpoint.com>
X-Mailer: Apple Mail (2.1822)
Cc: "tls@ietf.org list" <tls@ietf.org>
Subject: Re: [TLS] Deployment ... Re: This working group has failed
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Nov 2013 20:26:04 -0000

On 17 Nov 2013, at 10:12 pm, Yoav Nir <ynir@checkpoint.com> wrote:

> 1. TLS 1.2 is the first version to require support of extensions. Some servers broke when extensions existed.
> 2. Some servers broke on unrecognized extensions.
> 3. Some server break on missing extensions - certain servers will not accept a TLS 1.2 ClientHello without the SignatureAlgorithm extension

It seems like TLS is facing problems similar to those that HTTP is regarding Upgrade. Maybe the takeaway is that one of the more important things to get right is the test suite for extensibility / versioning in any new protocol (alas, too late for TLS and HTTP…).

Cheers,


--
Mark Nottingham   http://www.mnot.net/