Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)
Eric Rescorla <ekr@rtfm.com> Tue, 23 May 2017 20:57 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08817127B31 for <tls@ietfa.amsl.com>; Tue, 23 May 2017 13:57:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9OFnpNWThWnY for <tls@ietfa.amsl.com>; Tue, 23 May 2017 13:57:58 -0700 (PDT)
Received: from mail-yb0-x230.google.com (mail-yb0-x230.google.com [IPv6:2607:f8b0:4002:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CBB112EB33 for <tls@ietf.org>; Tue, 23 May 2017 13:57:57 -0700 (PDT)
Received: by mail-yb0-x230.google.com with SMTP id p143so40991881yba.2 for <tls@ietf.org>; Tue, 23 May 2017 13:57:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=RSmxrL52Q4J+4Z/2S7eNjxrsfYWmI9PHQLoTW9QoOqM=; b=nazyEL/meHUV9ZcqOFUI+Zj3VHxdUqZkANA0ND5CQeyE8FbE7IVp4mkjrxwWNQ9TMM bXgqqGioWcwTc8yuFaSZH3LjMZXLseEC1diZAqcH8D/1BRFfqcBfT/hF5WA97GcNvR5n kbDIACHu5l3LpesnJNuy4B4t+f6/UDKtbugx87vLIE3QhEPxconHMoV027Hmk6NArWzA 9yM89voICsO/Uj/yI9/yY3p6NqKpc2wDL++uTSlY1dhlS3bP80AH3LbwMyPPrcNDlpkT SsXjGUecCpCMJOMIjryzrqijGrONL/PHQrpDK5cuzSFTs2Obgfi7zH8iUYk1zV4rDpIU kJ/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=RSmxrL52Q4J+4Z/2S7eNjxrsfYWmI9PHQLoTW9QoOqM=; b=igGJko/wvhEqo6x5u4BXU+lrhIJW5Z8US+fy9YozYYyYtc5sMwP5ohRg6TGHHs8EK9 oCzJU2VjdLzATB9Yfhtlq98L7aKKGwYUEn4sednQZEP+vUULHxxJBPTf/jLKp1wX5tS8 W7sJ8NFEccGrPpUdNf64PHWIyrGi01OX6ww0laFrJaelUVYEh4lJi0Q0MCOG0/gCB8Ow Jqz6+jSzrR5c410vSva3eds2q8vU9Y70HTB62tRgdnrZsISuUtmFJTua5yb2UlFOm/rs JJUwny7a1CnetWOQWTCajlbRh+guHWElyzZMR1tdp9MpWdvPnhLCuRvrkCGLEloMwAdh 12JQ==
X-Gm-Message-State: AODbwcCsAw05vsro58k/GDTcV9JJYO5nahmAmoGIiCFy7ZUr1sxhODNQ RoeM5oKYlRkNd/D9F2BcrX7ar2uhCfJu
X-Received: by 10.37.206.8 with SMTP id x8mr19462239ybe.16.1495573076305; Tue, 23 May 2017 13:57:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.131.150 with HTTP; Tue, 23 May 2017 13:57:15 -0700 (PDT)
In-Reply-To: <20170523133441.54A901A6A6@ld9781.wdf.sap.corp>
References: <149550551972.4974.3201248950751611020.idtracker@ietfa.amsl.com> <20170523133441.54A901A6A6@ld9781.wdf.sap.corp>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 24 May 2017 04:57:15 +0800
Message-ID: <CABcZeBOrP7RHuk9Kc-306tKh8eg71OYpLdvq8RzDXChFuwWt9g@mail.gmail.com>
To: "mrex@sap.com" <mrex@sap.com>
Cc: The IESG <iesg@ietf.org>, "tls@ietf.org" <tls@ietf.org>, tls-chairs <tls-chairs@ietf.org>, draft-ietf-tls-ecdhe-psk-aead@ietf.org
Content-Type: multipart/alternative; boundary="94eb2c190b20f32bae0550373dbc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Y-woHow_TwnA1lDG94rEm6O5M7E>
Subject: Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2017 20:57:59 -0000
On Tue, May 23, 2017 at 9:34 PM, Martin Rex <mrex@sap.com> wrote: > Eric Rescorla wrote: > > draft-ietf-tls-ecdhe-psk-aead-04: Discuss > > > > ---------------------------------------------------------------------- > > DISCUSS: > > ---------------------------------------------------------------------- > > > > The following text appears to have been added in -04 > > > > A server receiving a ClientHello and a client_version indicating > > (3,1) "TLS 1.0" or (3,2) "TLS 1.1" and any of the cipher suites from > > this document in ClientHello.cipher_suites can safely assume that > > the > > client supports TLS 1.2 and is willing to use it. The server MUST > > NOT negotiate these cipher suites with TLS protocol versions earlier > > than TLS 1.2. Not requiring clients to indicate their support for > > TLS 1.2 cipher suites exclusively through ClientHello.client_hello > > improves the interoperability in the installed base and use of TLS > > 1.2 AEAD cipher suites without upsetting the installed base of > > version-intolerant TLS servers, results in more TLS handshakes > > succeeding and obviates fallback mechanisms. > > > > This is a major technical change from -03, which, AFAIK, prohibited > > the server from negotiating these algorithms with TLS 1.1 and below > > and maintained the usual TLS version 1.2 negotiation rules. > > This change _still_ prohibits the server from negotiating these algorithms > with TLSv1.1 and below. > Could you elaborate a little on where and why you see a problem with this? > For starters, TLS 1.3 has already designed a completely independent mechanism for doing version negotiation outside of ClientHello.version, so doing another seems pretty odd. In any case, it's not something you do between IETF-LC and IESG approval. As this changes tries to explain, had such a text been used for all > TLSv1.2 AEAD cipher suite code points, then browsers would have never > needed any "downgrade dance" fallbacks, POODLE would have never > existed as a browser problem, and the TLS_FALLBACK_SCSV band-aid > would not been needed, either. > I'm not sure this is true, because there were also servers which did not understand extensions. -Ekr > -Martin >
- [TLS] Eric Rescorla's Discuss on draft-ietf-tls-e… Eric Rescorla
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Martin Rex
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Martin Rex
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Eric Rescorla
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Daniel Migault
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Eric Rescorla
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Daniel Migault
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Martin Thomson
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Daniel Migault
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Joseph Salowey
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Daniel Migault
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Daniel Migault
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Martin Thomson
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Joseph Salowey
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Martin Thomson
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Daniel Migault
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Martin Thomson
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Daniel Migault
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Martin Rex
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Watson Ladd
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Martin Rex