Re: [TLS] Alissa Cooper's No Objection on draft-ietf-tls-padding-02: (with COMMENT)
Alissa Cooper <alissa@cooperw.in> Wed, 02 September 2015 16:39 UTC
Return-Path: <alissa@cooperw.in>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D25A31A8714 for <tls@ietfa.amsl.com>; Wed, 2 Sep 2015 09:39:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.186
X-Spam-Level:
X-Spam-Status: No, score=-1.186 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, URIBL_RHS_DOB=1.514] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4ISwyuLjHPVO for <tls@ietfa.amsl.com>; Wed, 2 Sep 2015 09:39:33 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D12B1B2DC6 for <tls@ietf.org>; Wed, 2 Sep 2015 09:39:32 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id EC8E520C97 for <tls@ietf.org>; Wed, 2 Sep 2015 12:39:31 -0400 (EDT)
Received: from frontend2 ([10.202.2.161]) by compute1.internal (MEProxy); Wed, 02 Sep 2015 12:39:31 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=cooperw.in; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=lCAoo8ScwJJlmQtVokgY7MN2gaI=; b=J2LvVN 4/Ykg5IXYMolkok+5FyDj5cYR4fEWNpeN00bakDz+FcDwXsHJNh8qNg7p3w5KmqG mtiCwmIamYRtiBqudeMqLcOvDl9hPxPGnqLgJSRcpnORvyX6M38dQ8KcKhJ8Ieki VFZ7oFbb+cxiaaYinccI53iv7WSqNgZdkGero=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=lCAoo8ScwJJlmQt VokgY7MN2gaI=; b=GNgdvyyVAhdNxpIvmdjUOZD9djrgYWEj2Jyasgk0JOk6a/4 k8y9JuGDLABPricRfrXy+pt4oYG/y1s55OI+rwmBNE3IWwkBiQ/amjYlAIgOu3sk BIi2E48A5w0pfHfUnH4M6tKn1N+ba6skrMmNvvaiC6D3iMwbwTNMwhKEZGjU=
X-Sasl-enc: IL73obxAw7RMmtHplAA0Drvfge1pau/7TUPZMUpNBmvN 1441211971
Received: from dhcp-171-68-20-136.cisco.com (dhcp-171-68-20-136.cisco.com [171.68.20.136]) by mail.messagingengine.com (Postfix) with ESMTPA id 563676800D8; Wed, 2 Sep 2015 12:39:31 -0400 (EDT)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Alissa Cooper <alissa@cooperw.in>
In-Reply-To: <6630C2B6-A273-400D-A72D-CACB255BB87D@sn3rd.com>
Date: Wed, 02 Sep 2015 09:39:30 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <A1BBDED3-3F73-46FD-BE0B-3D0BD35B8154@cooperw.in>
References: <20150831203613.9221.81864.idtracker@ietfa.amsl.com> <3A706F2D-B607-47E5-A6CD-4BAF344A8C7B@gmail.com> <6630C2B6-A273-400D-A72D-CACB255BB87D@sn3rd.com>
To: Sean Turner <sean@sn3rd.com>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/XeussdndKCa2jLoAU4cRsNeL0hQ>
X-Mailman-Approved-At: Wed, 02 Sep 2015 09:47:15 -0700
Cc: IESG <iesg@ietf.org>, "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Alissa Cooper's No Objection on draft-ietf-tls-padding-02: (with COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Sep 2015 16:39:35 -0000
> On Sep 2, 2015, at 7:09 AM, Sean Turner <sean@sn3rd.com> wrote: > > On Sep 02, 2015, at 02:26, Yoav Nir <ynir.ietf@gmail.com> wrote: > >> >>> On Aug 31, 2015, at 11:36 PM, Alissa Cooper <alissa@cooperw.in> wrote: >>> >>> Alissa Cooper has entered the following ballot position for >>> draft-ietf-tls-padding-02: No Objection >>> >>> ---------------------------------------------------------------------- >>> COMMENT: >>> ---------------------------------------------------------------------- >>> >>> Would be nice to include a reference to something that explains or at >>> least identifies the implementation that hangs when receiving >>> ClientHellos of a certain size. >> >> RFCs are forever. I don’t see much value in a “F5 had a bug in 2011” sentence in an RFC. OTOH such perpetual bad publicity (much like the “NETSCAPE_BUG” and “MICROSOFT_BUG” constants in OpenSSL code) may in the future discourage vendors from being as forthcoming with relevant information as F5 were in this case. >> >>> Otherwise one wonders why it's easier to >>> define this extension than it is to just fix that one implementation >>> (assuming it is only one). >> >> The implementation has been fixed for years. Many of their customers had not upgraded their firmware when discussion of this extension began. >> >> This is similar to how a vulnerability in home router firmware that was patched in 2004 was still present in new home routers sold in 2014 that were vulnerable to Shellshock. Unfortunately not every vendor can push upgrades to all customers the way browser vendors do. >> >> Yoav > > I agree with Yoav. > > By way of additional background: The extension fixes an issue that Brian Smith brought to the WG’s attention [0]. It’s related to ALPN deployment; he was running into failures when handshakes were larger than 255 bytes. Brian got some numbers from Kurt Roeckx, who relayed them from Ivan Ristic, and these numbers showed that around 2.9% of the web servers surveyed on the Internet had this problem. That number kind of got the WG’s attention because yeah the implementer can fix their code in a patch, but they can’t really force that patch to be deployed everywhere. Thanks, this is the kind of helpful context I was going for. I would suggest adding something like this at the end of the first paragraph in section 1: "This is desirable given that fully comprehensive patching of affected implementations is difficult to achieve.” Alissa > > spt > > [0] https://mailarchive.ietf.org/arch/msg/tls/v7tEam3Wi5GjpEXxF_71qPY0Ojo
- [TLS] Alissa Cooper's No Objection on draft-ietf-… Alissa Cooper
- Re: [TLS] Alissa Cooper's No Objection on draft-i… Yoav Nir
- Re: [TLS] Alissa Cooper's No Objection on draft-i… Sean Turner
- Re: [TLS] Alissa Cooper's No Objection on draft-i… Alissa Cooper