IETF Logo Mail Archive

Re: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv

Bodo Moeller <bmoeller@acm.org> Mon, 27 January 2014 09:44 UTC

Return-Path: <SRS0=Ipyw=XB=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E250D1A0188 for <tls@ietfa.amsl.com>; Mon, 27 Jan 2014 01:44:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.464
X-Spam-Level:
X-Spam-Status: No, score=-1.464 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.535, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uFX1c4S1G29d for <tls@ietfa.amsl.com>; Mon, 27 Jan 2014 01:44:02 -0800 (PST)
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.9]) by ietfa.amsl.com (Postfix) with ESMTP id 0DF0C1A0184 for <tls@ietf.org>; Mon, 27 Jan 2014 01:44:01 -0800 (PST)
Received: from mail-oa0-f46.google.com (mail-oa0-f46.google.com [209.85.219.46]) by mrelayeu.kundenserver.de (node=mrbap3) with ESMTP (Nemesis) id 0MLOoU-1W7AVD2MqY-000ZwF; Mon, 27 Jan 2014 10:43:58 +0100
Received: by mail-oa0-f46.google.com with SMTP id n16so6464064oag.33 for <tls@ietf.org>; Mon, 27 Jan 2014 01:43:50 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=xhEQFeT1ppqUEz875AeYdhH9aWAcOjY0ys3H6hcoZH0=; b=gWl3F0sQr4NQWqXFCwrApge31pqXLSX8sX3gFYRqA5SkSDaHuJbZZvVmTsj3/anRiw wPAu/lUPotDuewVq4RySbzO2Y3aXC3DvreRUyC1q7e4Q8NvDxgU6Yr6ZJrTbRaZil/Y5 A7iNfEdpsn3BuZWgeEpu3tKZZY7sKTBa2+aw6eOw6ddspOYZGcSIqlpRTUb9blgDuaF2 Q4wLHGi7oJ4JZ+Wm5gJGYuylelGhOlg2xgVEUrTjPBKr/D+/tW1t8igPc+2Eqfrbh22K IbUhjk3A+1JHvCARgCX3XqaOaEpOaOkthW1iD8zbeq8uDpuebw3SAlB7s/g7DkX70hKh +48w==
MIME-Version: 1.0
X-Received: by 10.182.161.1 with SMTP id xo1mr2015303obb.19.1390815830263; Mon, 27 Jan 2014 01:43:50 -0800 (PST)
Received: by 10.60.170.239 with HTTP; Mon, 27 Jan 2014 01:43:50 -0800 (PST)
In-Reply-To: <m2ha8tynt8.fsf@localhost.localdomain>
References: <20140124210534.C77871ABCA@ld9781.wdf.sap.corp> <52E2DA85.4010705@fifthhorseman.net> <m2ha8tynt8.fsf@localhost.localdomain>
Date: Mon, 27 Jan 2014 10:43:50 +0100
Message-ID: <CADMpkcKq12YLbcL+z_XLB7G3g=nFsPmJ2Cfq3uv57ndMi-CHQA@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: Geoffrey Keating <geoffk@geoffk.org>
Content-Type: multipart/alternative; boundary="f46d04462e3682cd2204f0f08bb7"
X-Provags-ID: V02:K0:5jhPs8ZsCViCD61i6u3vK1/af1euLHdDHrV6ZlABYmt 6vCrQsKKNiI1va/IyW0Wx2B2vunFwUhj8eu1x0ksZbkJ6yrsUq bMiRsbswj8rhcudtiaA7oEUwasfBK9i+owDHYkfT1VhP2h8yqJ Y5+st8xfYlQ74a2HbZiS5to9EhZeuMrL5qgYLT95eWf930l8ni jpvkiLkhuoIWhpbsn53CIFGmMufGzTBfcdvsA0GvEOjWZqrIxB 140qTMcQ4TFcypANVoB28AFvZ3xJNW7T5TPagoF+BudFpaQNfz tVx4mdRV8WeuHbwlxusMngE8WavXBpZG/jTn5K2YuvR8UVYqjl 4IMxAk8uhXMhwm25sg6t0TH5kEUhPyFNPz1lU/UdhrCsEorhuA uYjeiiajgTD9Q3iMieMGXX45qY9PC3zxQADyU54KdxI+VpyJ/1 nRNrX
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jan 2014 09:44:49 -0000

Geoffrey Keating <geoffk@geoffk.org>:

>
> Another way to phrase this is that the client is saying "I think you
> are an old buggy server.  If you think you are not an old buggy
> server, please abort."
>
> The implicit assumption is that there will not be new buggy servers.
> I think that's the greatest weakness of this concept.


New buggy servers that work exactly like the old buggy servers, and thus
require the same workarounds to achieve interoperability, are sort of out
of scope for this measure.   The spec changes essentially nothing about how
you work with these: you send an additional cipher-suite value, but expect
such servers to ignore it.  They really are old servers.

If "new" means servers with an updated implementation including support for
this SCSV, the hope is that once the spec has sufficient client-side
deployment, this can prevent the deployment of (certain) buggy servers,
because they'll fail standard interoperability testing.  If the new buggy
server honors the SCSV, the protocol downgrade workaround that exist to
deal with old buggy servers won't hide the problem as it otherwise might.

Bodo

v2.23.0 | Report a Bug | By Email