IETF Logo Mail Archive

Re: [TLS] draft-ietf-tls-renegotation: next

Martin Rex <mrex@sap.com> Thu, 17 December 2009 23:08 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 299193A69EA for <tls@core3.amsl.com>; Thu, 17 Dec 2009 15:08:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.847
X-Spam-Level:
X-Spam-Status: No, score=-5.847 tagged_above=-999 required=5 tests=[AWL=-0.298, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4, SARE_BIZOP=0.7]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y-8QNPgvutfw for <tls@core3.amsl.com>; Thu, 17 Dec 2009 15:08:18 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id 16F203A6976 for <tls@ietf.org>; Thu, 17 Dec 2009 15:08:17 -0800 (PST)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id nBHN80q5021163 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 18 Dec 2009 00:08:00 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200912172307.nBHN7xPC023485@fs4113.wdf.sap.corp>
To: marsh@extendedsubset.com
Date: Fri, 18 Dec 2009 00:07:58 +0100
In-Reply-To: <4B2AA4AE.5070306@extendedsubset.com> from "Marsh Ray" at Dec 17, 9 03:37:50 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] draft-ietf-tls-renegotation: next
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2009 23:08:19 -0000

Marsh Ray wrote:
> 
> > The only reason why secure TLS renegotiation can be considered
> > an update to the existing installed base at all (and not a different
> > non-interoperable protocol), is that renegotiation has never been
> > a core element of SSLv3/TLS and is optional-to-implement.

There seems to be an illusion that this secure TLS renegotiation
update can be forced upon vendors or implementors.

No, it can not.

There is an incentive called "competitive advantage", but it does
not apply to commodity items in the consumer market that are 2+ years old.

If you can force anything from those vendors, then it is a switch
to disable old renegotiation, in case that is (unintentially) available.
That's it.


If you really want to do the community a favor, then this update
should be so "small&easy" for those vendors that they can actually
put it into installed base, even when that is 2+ years old.

If the IETF's "solution" is that you can only implement the
whole schmear or nothing, then this is not going to happen to
the installed base -- and it is not the fault of those vendors,
they can point to the IETF, because of a new spec that may cause
their customers interop problems in the future.


Some vendors will appreciate this as a "business opportunity",
but I think this is a big waste of money.


-Martin

v2.23.0 | Report a Bug | By Email