Re: [TLS] Antw: Re: Antw: Re: Suspicious behaviour of TLS server implementations

"Christian Huitema" <huitema@huitema.net> Sat, 24 September 2016 00:51 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5A3C12BEC3 for <tls@ietfa.amsl.com>; Fri, 23 Sep 2016 17:51:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.621
X-Spam-Level:
X-Spam-Status: No, score=-2.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IkW-KBVJIgHt for <tls@ietfa.amsl.com>; Fri, 23 Sep 2016 17:51:41 -0700 (PDT)
Received: from xsmtp12.mail2web.com (xsmtp12.mail2web.com [168.144.250.177]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE10C12BEC2 for <tls@ietf.org>; Fri, 23 Sep 2016 17:51:41 -0700 (PDT)
Received: from [10.5.2.52] (helo=xmail12.myhosting.com) by xsmtp12.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1bnbBo-0007iK-4z for tls@ietf.org; Fri, 23 Sep 2016 20:51:40 -0400
Received: (qmail 7063 invoked from network); 24 Sep 2016 00:51:35 -0000
Received: from unknown (HELO icebox) (Authenticated-user:_huitema@huitema.net@[24.16.156.113]) (envelope-sender <huitema@huitema.net>) by xmail12.myhosting.com (qmail-ldap-1.03) with ESMTPA for <andreas.walz@hs-offenburg.de>; 24 Sep 2016 00:51:35 -0000
From: "Christian Huitema" <huitema@huitema.net>
To: "'Peter Gutmann'" <pgut001@cs.auckland.ac.nz>, "'Andreas Walz'" <andreas.walz@hs-offenburg.de>
References: <57D2E218020000AC0011B17E@gwia2.rz.hs-offenburg.de> <20160909152901.9008C1A552@ld9781.wdf.sap.corp> <1473853106532.3256@cs.auckland.ac.nz> <57D96E34020000AC0011B73F@gwia2.rz.hs-offenburg.de> <57E25106020000AC0011BF3A@gwia2.rz.hs-offenburg.de> <CABkgnnX7X+21wjChxkW-uhd8WXAMyp5f1F74H5ja=1mui4POiQ@mail.gmail.com>, <57E272CB020000AC0011BF63@gwia2.rz.hs-offenburg.de> <1474473207998.35647@cs.auckland.ac.nz>, <57E2E068020000AC0011BFD4@gwia2.rz.hs-offenburg.de> <1474520407230.85774@cs.auckland.ac.nz>, <57E3E821020000AC0011C0DC@gwia2.rz.hs-offenburg.de> <1474619914890.15531@cs.auckland.ac.nz>
In-Reply-To: <1474619914890.15531@cs.auckland.ac.nz>
Date: Fri, 23 Sep 2016 17:51:30 -0700
Message-ID: <168501d215fd$caca2400$605e6c00$@huitema.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQHHcOqJfG6OnAxDtgOCdHpIKNuETANRRt3qAh/g5EACr3X/HwHOAz/TAUSUyTsBb31GMQF2d/sxAgWA7DgCFiZhdgHu2styAs9XHpGf5X+QoA==
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/aE-4TdZK5qeyQ3DVhiR2PSQRDks>
Cc: tls@ietf.org
Subject: Re: [TLS] Antw: Re: Antw: Re: Suspicious behaviour of TLS server implementations
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Sep 2016 00:51:44 -0000

On Friday, September 23, 2016 1:39 AM, Peter Gutmann wrote:
> Andreas Walz <andreas.walz@hs-offenburg.de>; writes:
>
>>However, where would you draw the line between "I can't" and "I don't want
>>to"?
> 
> It's one of those judgement-call things, I don't know if you can strictly
> define it but as a rule of thumb I'd say that if you encounter it during
> normal processing it's an I-can't problem while if you have to add
special-
> case checks to identify it and refuse to continue it's an I-don't-want-to
> problem.

Yes of course, but there is another aspect to it, the general health of the
ecosystem. Postel's rule is nice, but it removes the pressure on broken
implementations to fix their code. Pushed to the extreme, the result is a
sort of protocol drift, in which buggy variants get first tolerated, and
then accepted as de-facto standards. This tends to hinder future evolutions,
not to mention adding complexity. We often hear that "the IETF has no
protocol police," but in fact it does. Each implementation that takes a
strict view of standard compliance contributes to this policing.

-- Christian Huitema