IETF Logo Mail Archive

Re: [TLS] Verify data in the RI extension?

<Pasi.Eronen@nokia.com> Fri, 27 November 2009 17:31 UTC

Return-Path: <Pasi.Eronen@nokia.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5BDF93A6978 for <tls@core3.amsl.com>; Fri, 27 Nov 2009 09:31:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.506
X-Spam-Level:
X-Spam-Status: No, score=-6.506 tagged_above=-999 required=5 tests=[AWL=0.093, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ilf1j1i3t5+j for <tls@core3.amsl.com>; Fri, 27 Nov 2009 09:31:15 -0800 (PST)
Received: from mgw-mx03.nokia.com (smtp.nokia.com [192.100.122.230]) by core3.amsl.com (Postfix) with ESMTP id 2513F3A67D1 for <tls@ietf.org>; Fri, 27 Nov 2009 09:31:14 -0800 (PST)
Received: from esebh106.NOE.Nokia.com (esebh106.ntc.nokia.com [172.21.138.213]) by mgw-mx03.nokia.com (Switch-3.3.3/Switch-3.3.3) with ESMTP id nARHV549022503; Fri, 27 Nov 2009 19:31:05 +0200
Received: from vaebh102.NOE.Nokia.com ([10.160.244.23]) by esebh106.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 27 Nov 2009 19:31:02 +0200
Received: from smtp.mgd.nokia.com ([65.54.30.5]) by vaebh102.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Fri, 27 Nov 2009 19:30:57 +0200
Received: from NOK-EUMSG-01.mgdnok.nokia.com ([65.54.30.106]) by nok-am1mhub-01.mgdnok.nokia.com ([65.54.30.5]) with mapi; Fri, 27 Nov 2009 18:30:45 +0100
From: Pasi.Eronen@nokia.com
To: mrex@sap.com
Date: Fri, 27 Nov 2009 18:30:43 +0100
Thread-Topic: [TLS] Verify data in the RI extension?
Thread-Index: Acpvbi1Bd+KS95omSUGhHzQ5I95GUQAGAQHA
Message-ID: <808FD6E27AD4884E94820BC333B2DB774F3118C344@NOK-EUMSG-01.mgdnok.nokia.com>
References: <808FD6E27AD4884E94820BC333B2DB774F3113EEDC@NOK-EUMSG-01.mgdnok.nokia.com> from "Pasi.Eronen@nokia.com" at Nov 27, 9 03:09:58 pm <200911271425.nAREP95E028727@fs4113.wdf.sap.corp>
In-Reply-To: <200911271425.nAREP95E028727@fs4113.wdf.sap.corp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 27 Nov 2009 17:30:57.0900 (UTC) FILETIME=[6168B2C0:01CA6F87]
X-Nokia-AV: Clean
Cc: tls@ietf.org
Subject: Re: [TLS] Verify data in the RI extension?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Nov 2009 17:31:16 -0000

Martin Rex wrote:

> > For simplicity, the current draft is already very simple, and IMHO
> > it's not clear that continuing to tweak it has a positive return
> > on investment, considering it delays the publication.
> 
> Not really.
> 
> I ask this before: what should the original designers of the SSLv3
> renegotiation have done from the beginning to make it secure.
> Invent TLS extensions and then a TLS extension RI is definitely
> _not_ the answer.  They would have fixed the handshake message hash
> from the beginning.

I think "what would the SSLv3 designers have done" (almost 15 years
ago) and "what should we today" are two completely different
questions, which may have completely different answers.

> The "dirty ugly" signaling is a patch for a "dirty ugly" security
> problem in "dirty old" implementations of a "dirty old" protocol.
> We need it to distinguish old from updated implementations and for
> supporting interop with old -- otherwise we could just change both
> handshake algorithms (like including different finished labels) and
> make the fix entirely without on-the-wire changes, no signaling, but
> also no interop with the installed base.
> 
> > About future versions of TLS, IMHO it's quite difficult to predict
> > which would be most compatible. What if, e.g., the next version of
> > TLS decides that sending certificates in the clear wasn't that
> > great idea, and nowadays we can afford to do Diffie-Hellman before
> > doing any authentication? This could completely change all the
> > handshake messages after ClientHello, and the current
> > functionality of "Finished" could be done in quite different way..
> 
> If it does not retain (Extended)ServerHello, then it will actually
> kill a lot of the existing SSL/TLS protocol features -- and reliably
> kill TLS extension RI with it.
> 
> The handshake message hash is one of the basic concepts of the
> SSL/TLS protocol.  If that is changed, then you basically have
> none of the original protocol left.
> 
> Therefore directly feeding into the handshake message hash is
> the more conservative and forward compatible approach.

We haven't had *any* discussions in the WG about what the next version
of TLS could or should or might change, so I don't think we can have
even any "informed guesses" about it.

So while your proposal may be conservative, IMHO claiming it's
"forward compatible" cannot be based on anything except totally
wild guesses... (and other people making totally wild guesses
about the topic might reasonably guess very differently)

Best regards,
Pasi
(not wearing any hats)

v2.23.0 | Report a Bug | By Email