IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00

Florian Weimer <fweimer@redhat.com> Wed, 15 October 2014 15:24 UTC

Return-Path: <fweimer@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43CD81A876C for <tls@ietfa.amsl.com>; Wed, 15 Oct 2014 08:24:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7-OlP-olE0wg for <tls@ietfa.amsl.com>; Wed, 15 Oct 2014 08:24:12 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FD3F1A8766 for <tls@ietf.org>; Wed, 15 Oct 2014 08:24:12 -0700 (PDT)
Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s9FFOBEM021623 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for <tls@ietf.org>; Wed, 15 Oct 2014 11:24:11 -0400
Received: from oldenburg.str.redhat.com (ovpn-116-46.ams2.redhat.com [10.36.116.46]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s9FFO8Fc025681 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for <tls@ietf.org>; Wed, 15 Oct 2014 11:24:10 -0400
Message-ID: <543E9197.9080906@redhat.com>
Date: Wed, 15 Oct 2014 17:24:07 +0200
From: Florian Weimer <fweimer@redhat.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1
MIME-Version: 1.0
To: tls@ietf.org
References: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com> <e2ae0847d4ef49c48fe972adead9bbcc@BL2PR03MB419.namprd03.prod.outlook.com> <CAMfhd9UQ1wHFMJpLcxX6o3YDcLn_Az_vy7PfB9QUwyjHrrPaJQ@mail.gmail.com> <ceda19c3fdee4b488cff118d34f44afe@BL2PR03MB419.namprd03.prod.outlook.com> <CAMfhd9XuPBQ1ohNO1Yj1TTQdMCnDg-uUrtvwWA=q74D2gSOPVA@mail.gmail.com>
In-Reply-To: <CAMfhd9XuPBQ1ohNO1Yj1TTQdMCnDg-uUrtvwWA=q74D2gSOPVA@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/huGVO3coHFwUIfp5UWSd7Xl5vb4
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Oct 2014 15:24:13 -0000

On 09/26/2014 08:37 PM, Adam Langley wrote:
> If an administrator is worried that version x is too weak, then all
> versions <= x need to be disabled too I believe? I can't think of a
> security concern that is not monotonic with respect to TLS versions.

An administrator may want to support local security services and run 
specific protocol versions and ciphers for which the security services 
have interception capabilities, to cut down the legal paperwork. :-)

-- 
Florian Weimer / Red Hat Product Security

v2.45.0 | Report a Bug | By Email | System Status