Re: [TLS] What would be the point of removing signalling in TLS 1.3? [correction]
Bodo Moeller <bmoeller@acm.org> Sun, 29 November 2009 10:23 UTC
Return-Path: <SRS0=dAnb=HR=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 83E7A3A6840 for <tls@core3.amsl.com>; Sun, 29 Nov 2009 02:23:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.167
X-Spam-Level:
X-Spam-Status: No, score=-102.167 tagged_above=-999 required=5 tests=[AWL=0.082, BAYES_00=-2.599, HELO_EQ_DE=0.35, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xrb-gEyFzBTj for <tls@core3.amsl.com>; Sun, 29 Nov 2009 02:23:32 -0800 (PST)
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.10]) by core3.amsl.com (Postfix) with ESMTP id 609933A677E for <tls@ietf.org>; Sun, 29 Nov 2009 02:23:32 -0800 (PST)
Received: from [10.1.120.118] ([74.125.121.49]) by mrelayeu.kundenserver.de (node=mrbap2) with ESMTP (Nemesis) id 0M7VWZ-1O20433gcJ-00x80w; Sun, 29 Nov 2009 11:23:25 +0100
From: Bodo Moeller <bmoeller@acm.org>
To: David-Sarah Hopwood <david-sarah@jacaranda.org>
In-Reply-To: <4B10A613.9070506@jacaranda.org>
References: <C734A556.6B8A%stefan@aaa-sec.com> <4B0EF1AB.8050506@extendedsubset.com> <6A2B0911-C59D-4A11-94FA-713E46E89488@acm.org> <4B10A184.4050107@jacaranda.org> <4B10A613.9070506@jacaranda.org>
Message-Id: <63315D85-3C09-456D-A7A0-4A77BB603A27@acm.org>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Sun, 29 Nov 2009 11:23:23 +0100
X-Mailer: Apple Mail (2.936)
X-Provags-ID: V01U2FsdGVkX1+jvN7iebDJFuj6Zu1wZquekV6GzxQE8ZDDMTJ XMkYftrzsqCUY60Z+4IvqObJDA5FuL0mA3Z40QGi+Npaz0MH3O +7g3hBB0QazrP3fAWzyGA==
Cc: tls@ietf.org
Subject: Re: [TLS] What would be the point of removing signalling in TLS 1.3? [correction]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Nov 2009 10:23:33 -0000
On Nov 28, 2009, at 5:24 AM, David-Sarah Hopwood wrote: > David-Sarah Hopwood wrote: >> Bodo Moeller wrote: >>> On Nov 26, 2009, at 10:22 PM, Marsh Ray wrote: >>>> Stefan Santesson wrote: >>>>> If you fix the Finished message calculation, making it immune to >>>>> the >>>>> renegotiation attack, and making it the standard Finished >>>>> calculation >>>>> for >>>>> 1.3.... Then why would you need to signal that you are using the >>>>> standard >>>>> Finished calculation? >>>> So that clients and servers can be upgraded over a period of time >>>> without causing interoperability problems. >>> There are more than two ways how to treat signaling (how to signal >>> that >>> a new Finished computation should be used) with respect to future >>> protocol versions, i.e., TLS 1.3 and later: >> >> [numbering added] >>> 1. The specifications could mandate keeping the explicit signal >>> even with >>> TLS 1.3+. >>> >>> 2. The specifications could require an explicit signal only for >>> those TLS >>> 1.3+ implementations that do offer backwards compatibility with >>> earlier >>> protocol versions (i.e., if the *negotiated* protocol version is >>> TLS 1.3 >>> or later, that would imply that the new Finished computation >>> should be >>> used). >>> >>> 3. The specifications could require an explicit signal only for >>> implementations that don't announce TLS 1.3+ (i.e., if the >>> *requested* >>> protocol version is TLS 1.3+, that would imply that the new Finished >>> computation should be used). >>> >>> Stefan's proposal in the original message, it seems, was the third >>> variant. David's comment suggested that because of the complexity >>> that >>> comes with that variant, we should stick to the first one (and >>> always >>> keep signaling). >>> >>> That's not implied, though. The second variant makes a lot of >>> sense to >>> me -- it's just not something that the current specification would >>> or >>> should have to say a final word on: that's best left to the TLS 1.3 >>> specification. >> >> No, we have to decide now. For approach 2 to work, *every* patched >> implementation must know that requesting TLS 1.3+ implies that a >> client is patched. For approach 3 to work, *every* patched >> implementation >> must know that negotiating TLS 1.3+ implies that a server is patched. > > Correction: > For approach 3 to work, *every* patched implementation must know that > requesting TLS 1.3+ implies that a client is patched. > >> If we leave it until TLS 1.3 is specified, then there will exist >> implementations that don't know these things. Therefore, TLS 1.3+ >> clients >> will have to send the c->s signal anyway, in case the server is one >> of >> those that doesn't know that a TLS 1.3+ request implies that it is >> OK to >> send the s->c signal. Similarly, TLS 1.3+ servers will have to send >> the s->c signal anyway, in case the client is one of those that >> doesn't >> know that negotiating TLS 1.3+ implies being patched. > > The second part of this is wrong: TLS 1.3+ can be negotiated only > if the client supports it, therefore it can be assumed that the client > knows that negotiating TLS 1.3+ implies being patched. > > However, the first part was correct. So, "not deciding" is effectively > equivalent to deciding against approach 3 (and also against a > combination > of 2 and 3), while still leaving the choice between 1 and 2 open. Yes. That's exactly what I meant: The arguments against approach 3 don't imply that we should be using approach 1 -- but only the TLS 1.3 specification will really have to decide between approach 1 and approach 2. Bodo
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- [TLS] Avoiding first use of RI in ClientHello Eric Rescorla
- Re: [TLS] Avoiding first use of RI in ClientHello Stefan Santesson
- Re: [TLS] Avoiding first use of RI in ClientHello Dr Stephen Henson
- Re: [TLS] Avoiding first use of RI in ClientHello Robert Relyea
- Re: [TLS] Avoiding first use of RI in ClientHello Eric Rescorla
- Re: [TLS] Avoiding first use of RI in ClientHello Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Avoiding first use of RI in ClientHello peter.robinson
- Re: [TLS] Avoiding first use of RI in ClientHello Min Huang
- Re: [TLS] Verify data in the RI extension? Yoav Nir
- Re: [TLS] Avoiding first use of RI in ClientHello Pasi.Eronen
- Re: [TLS] Avoiding first use of RI in ClientHello Pasi.Eronen
- [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Avoiding first use of RI in ClientHello Eric Rescorla
- [TLS] Perhaps there's another way. Was: Verify da… Marsh Ray
- Re: [TLS] Perhaps there's another way. Was: Verif… Dr Stephen Henson
- Re: [TLS] Avoiding first use of RI in ClientHello Stefan Santesson
- [TLS] What would be the point of removing signall… David-Sarah Hopwood
- Re: [TLS] Perhaps there's another way. Was: Verif… Marsh Ray
- Re: [TLS] Perhaps there's another way. Was: Verif… Dr Stephen Henson
- Re: [TLS] What would be the point of removing sig… Stefan Santesson
- Re: [TLS] What would be the point of removing sig… Marsh Ray
- Re: [TLS] What would be the point of removing sig… Bodo Moeller
- Re: [TLS] Perhaps there's another way. Was: Verif… Nelson B Bolyard
- Re: [TLS] What would be the point of removing sig… Nelson B Bolyard
- Re: [TLS] What would be the point of removing sig… Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Verify data in the RI extension? Simon Josefsson
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Nikos Mavrogiannopoulos
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Avoiding first use of RI in ClientHello Bodo Moeller
- Re: [TLS] Verify data in the RI extension? Bodo Moeller
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] What would be the point of removing sig… David-Sarah Hopwood
- Re: [TLS] What would be the point of removing sig… David-Sarah Hopwood
- Re: [TLS] What would be the point of removing sig… David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] Verify data in the RI extension? David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] Verify data in the RI extension? David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? Bodo Moeller
- Re: [TLS] What would be the point of removing sig… Bodo Moeller
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] Verify data in the RI extension? David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? Marsh Ray
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Yoav Nir