Re: [TLS] TLS 1.3 comments
Hubert Kario <hkario@redhat.com> Mon, 17 August 2015 14:43 UTC
Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E1911A3B9F for <tls@ietfa.amsl.com>; Mon, 17 Aug 2015 07:43:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SU8a_ci9axqG for <tls@ietfa.amsl.com>; Mon, 17 Aug 2015 07:43:54 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD3F71A219E for <tls@ietf.org>; Mon, 17 Aug 2015 07:43:54 -0700 (PDT)
Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by mx1.redhat.com (Postfix) with ESMTPS id 7F1768F298; Mon, 17 Aug 2015 14:43:54 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (ovpn-112-27.ams2.redhat.com [10.36.112.27]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t7HEhnCx007553 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 17 Aug 2015 10:43:53 -0400
From: Hubert Kario <hkario@redhat.com>
To: tls@ietf.org
Date: Mon, 17 Aug 2015 16:43:41 +0200
Message-ID: <1486986.OVeGYfMRs9@pintsize.usersys.redhat.com>
User-Agent: KMail/4.14.9 (Linux/4.1.4-200.fc22.x86_64; KDE/4.14.9; x86_64; ; )
In-Reply-To: <20150817120246.GA32255@LK-Perkele-VII>
References: <55D1B5CC.1050005@gmail.com> <20150817120246.GA32255@LK-Perkele-VII>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart6993592.xhapalaqSf"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/cWAIICgBEriEJHvFVeoQnvfvGms>
Subject: Re: [TLS] TLS 1.3 comments
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Aug 2015 14:43:56 -0000
On Monday 17 August 2015 15:02:46 Ilari Liusvaara wrote: > On Mon, Aug 17, 2015 at 06:22:04AM -0400, Yaron Sheffer wrote: > > Below a long list of comments, generally minor. The document is > > already very good - we're making great progress!<br> > > > > The record length field is limited by encrypted-length+2048. > > > > Shouldn't it be 1024? - "Each AEAD cipher MUST NOT produce an > > expansion of greater than 1024 bytes". > > Actually, I think both should be 256 (256-byte expansion from AEAD > is already quite much). > > (This was proposed a while back). I don't think this adds anything while introducing requirement of adding additional "if" to implementations that support also TLS1.2 and lower > > D.1.2: do we really need to worry about version rollback to > > > > SSLv2? I suggest to remove this section. > > Well, it is not possible to even try to negotiate TLS 1.3 using SSLv2 > compat. hello, since that can't transmit extensions, but at least one > extension is REQUIRED in order to successfully negotiate TLS 1.3. > > And the second paragraph seems to be about RSA key exchange, which > isn't supported anymore in TLS 1.3. > > Yes, the section looks like it could be removed. OTOH, TLS1.3 is not a superset of TLS1.2 so we need to think about downgrade to TLS1.2. > But that isn't the only way rollback attacks can occur, also some > clients can be coaxed to downgrade by selectively blocking connections. > Unfortunately the intolerance to TLS 1.3 is so bad that many clients > will likely be willing to perform unauthenticated downgrade to TLS > 1.2 (and FALLBACK_SCSV is useless here). how is it useless? A server which support at most TLS1.2 that receives a TLS1.2 client hello with FALLBACK_SCSV MUST continue the connection with TLS1.2 -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
- Re: [TLS] TLS 1.3 comments Martin Thomson
- [TLS] TLS 1.3 comments Yaron Sheffer
- Re: [TLS] TLS 1.3 comments Ilari Liusvaara
- Re: [TLS] TLS 1.3 comments Hubert Kario
- Re: [TLS] TLS 1.3 comments Yaron Sheffer
- Re: [TLS] TLS 1.3 comments Viktor Dukhovni
- Re: [TLS] TLS 1.3 comments Martin Thomson
- Re: [TLS] TLS 1.3 comments Dave Garrett