Re: [TLS] SCSV vs RI when both specified. Was: Updated draft

Martin Rex <> Tue, 12 January 2010 16:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8D2F23A6A3F for <>; Tue, 12 Jan 2010 08:40:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.949
X-Spam-Status: No, score=-9.949 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id o7WCSS7xu9C7 for <>; Tue, 12 Jan 2010 08:40:43 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 740C93A6A4F for <>; Tue, 12 Jan 2010 08:40:43 -0800 (PST)
Received: from by (26) with ESMTP id o0CGediA025332 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 12 Jan 2010 17:40:39 +0100 (MET)
From: Martin Rex <>
Message-Id: <>
To: (Kemp David P.)
Date: Tue, 12 Jan 2010 17:40:39 +0100 (MET)
In-Reply-To: <> from "Kemp, David P." at Jan 12, 10 10:43:33 am
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal06
X-SAP: out
Subject: Re: [TLS] SCSV vs RI when both specified. Was: Updated draft
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 12 Jan 2010 16:40:44 -0000

Kemp, David P. wrote:
> Perhaps I misunderstand the issue, but if there is absolutely no
> known security problem in the absence of C->S signaling (ClientHello
> contains neither SCSV nor empty RI), then it would seem that
> C->S signaling is superfluous and should have been omitted from
> the renego spec.  I inferred from its existence that it served
> some useful purpose.

We need the C->S signaling in order to allow the S->C signaling,
because the originial SSL&TLS protocols do not provide sufficient
slack for S->C signaling without prior C->S signaling.

Technically a S->C signaling for the initial handshake would be
sufficient to prevent an updated client from having a client
perform an old renegotiation with an updated server.  Doing
it both ways makes it more robust, and provides additional
room for policy decisions.

> That is not a policy decision embedded in protocol, it is a
> truth in advertising requirement.  If a client's or server's
> policy is that communication is more important than resistance
> to renegotiation attack, than that policy is expressed by accepting
> connections using the SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2
> protocols.

A TLS client or TLS server that does _not_ interoperate with an old
TLS implementation on the initial handshake is simply not compliant
to whatever protocol (SSLv3, TLSv1.0, TLSv1.1 or TLSv1.2) is

The new specification about (secure) TLS renegotiation _only_
deprecates an optional feature of the existing protocol and
adds a new optional feature for them.  This spec does _NOT_
change the core protocol.  Otherwise it would not be an
update, but a new protocol.