IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00

Bodo Moeller <bmoeller@acm.org> Sat, 18 October 2014 12:09 UTC

Return-Path: <SRS0=E8DF=7J=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7986F1A6FEE for <tls@ietfa.amsl.com>; Sat, 18 Oct 2014 05:09:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.938
X-Spam-Level:
X-Spam-Status: No, score=-0.938 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oYOXhh02bJtZ for <tls@ietfa.amsl.com>; Sat, 18 Oct 2014 05:08:59 -0700 (PDT)
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.10]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B4F11A6FE4 for <tls@ietf.org>; Sat, 18 Oct 2014 05:08:59 -0700 (PDT)
Received: from mail-yh0-f54.google.com (mail-yh0-f54.google.com [209.85.213.54]) by mrelayeu.kundenserver.de (node=mreue105) with ESMTP (Nemesis) id 0ML7th-1Xfjvl3KW9-000OyZ; Sat, 18 Oct 2014 14:08:57 +0200
Received: by mail-yh0-f54.google.com with SMTP id z6so1064303yhz.13 for <tls@ietf.org>; Sat, 18 Oct 2014 05:08:54 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.236.228.161 with SMTP id f31mr20353572yhq.51.1413634134501; Sat, 18 Oct 2014 05:08:54 -0700 (PDT)
Received: by 10.170.194.15 with HTTP; Sat, 18 Oct 2014 05:08:54 -0700 (PDT)
In-Reply-To: <54415A1F.3080707@brainhub.org>
References: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com> <5438CFEA.7000401@brainhub.org> <5440CC7F.1020608@brainhub.org> <CADMpkcLdSCLb5LzBjufVF4h7X=HFPTgHq4fN+zdc6zrM+ijXaA@mail.gmail.com> <54415A1F.3080707@brainhub.org>
Date: Sat, 18 Oct 2014 14:08:54 +0200
Message-ID: <CADMpkcKWJ5USybEDMi=RDqR7wwDRUbk-44N+sRp71orZqa8YkQ@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a113335266df1c90505b158c3"
X-Provags-ID: V02:K0:yPSMtTzvrbLWFvhu9nDucInzK0SHEB5IwAAQZCxHIDC MA5cQR69RB7r957L1XIu4BCMDSzH9C2hIr27+s9Olj1SqSCJPh Z2aHsC0c6dtX2/1v7seIoZnW3lHZdScdpxKBM6YxVsiYdwi15w Z6F21okrcJx8wBkWhcL8HibYfyTtf0e4zdCFc4wuiUSz04BMzL AYzarFfvjbJUOZE4Y2q95F28czo8l91E/PWhW+JbQxzFY5yPti 6vIXNXS/ZjhaEYJiRGGYRVCzX99yHN43eSL850rSgrHH8wPcNb DtnPQLlJGhEWGBELDlRSB2mdkC4R0LiWdJ717oGYBXpzLKZ/fw recHl7eP1WFiVIahQyOfZstzTXDTaIgoXbDNBrmJrYYM3mHnli yi6lbk1FSMPG9IngeHNFWDXchCuldeLjbjAGi8go2cld2sMg4Y kgCa/
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/e_9vj3VWfQ86Owe23Yy44fL-vN4
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Oct 2014 12:09:00 -0000

Andrey Jivsov <crypto@brainhub.org>:

The reality of the Internet today is that TLS 1.1 is viewed as acceptable.
> Clients treating TLS 1.1 treating it this way too. The draft *requires* to
> introduce a rejection of TLS 1.1 connection on the server when the server
> detects the downgrade.
>

According to the draft, this server-side rejection is REQUIRED *if the
client sent TLS_FALLBACK_SCSV to request it*. For the client, however, it
is merely RECOMMENDED to send TLS_FALLBACK_SCSV in all fallback retries.

My point is that downgrades from TLS1.0 to SSL3.0 is one thing but from
> TLS1.3 to TLS1.2 is another.


You appear to be saying that, carefully weighing the case, a silent
fallback to TLS 1.2 can be acceptable. I don't disagree: the spec takes
this into account, it's just that it leaves it to the *client* to make this
decision, without further *server*-side heuristics interfering with it,.

(I think this makes sense because it's the client that decides whether to
do fallback retries in the first place. For clients that don't set
TLS_FALLBACK_SCSV at all, for example, any server-side enabled protocol
version can be negotiated anyway -- the server can't avoid using old
versions with such clients other than by disabling them entirely.)

Bodo

v2.23.0 | Report a Bug | By Email