Re: [TLS] TLS Charter Revision
Eric Rescorla <ekr@rtfm.com> Fri, 13 December 2013 01:24 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12B291AE167 for <tls@ietfa.amsl.com>; Thu, 12 Dec 2013 17:24:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Ypkwis6lL9D for <tls@ietfa.amsl.com>; Thu, 12 Dec 2013 17:24:38 -0800 (PST)
Received: from mail-wi0-f174.google.com (mail-wi0-f174.google.com [209.85.212.174]) by ietfa.amsl.com (Postfix) with ESMTP id B42D31AE166 for <tls@ietf.org>; Thu, 12 Dec 2013 17:24:36 -0800 (PST)
Received: by mail-wi0-f174.google.com with SMTP id z2so425893wiv.1 for <tls@ietf.org>; Thu, 12 Dec 2013 17:24:30 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=Wfg63fSZUz0cufWt7uddygjMJfskTcg2C0n5gGXYdlw=; b=dNn1MMjCEq3SCsQgL9CIlccbGdT/jD7162o+U2qvx4X62kcm3a4hRuvy8oy/Z9FbK4 AM98HzzrJ/JuulUEgcCWrSr7wf50ZFAocXjsMfL2AvHZ1jef8LlIiP6Z5WRnKbrx1CVe BxTrazXlg+a0dq9R1JJB9Wdi0AX+bQNJA8+xTL12NWlTb8pAKFbIvsuVqOkgDqxmfnbZ uj8GvhZtG9OV8iM0uUvXC4mmpG8bk3NMPxGI5nh+SrSFBoz5sjvLME3T4RRRhLdSAVT+ wVPj+ZWdHw7ejyNw0boix50oStUGTFaafGjy8SselITsSLQPUCzC+j2Frv1yX1AVleIY tvWA==
X-Gm-Message-State: ALoCoQnjln1ZRRtznTVmshylqIgmzPi2HAYyaW6p/RLnQd299nmVdlAWtkA90dBhU7OV5r5vSD8r
X-Received: by 10.194.60.103 with SMTP id g7mr8966378wjr.37.1386897870156; Thu, 12 Dec 2013 17:24:30 -0800 (PST)
MIME-Version: 1.0
Received: by 10.216.54.194 with HTTP; Thu, 12 Dec 2013 17:23:49 -0800 (PST)
X-Originating-IP: [118.163.10.190]
In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C711E42D63D8@USMBX1.msg.corp.akamai.com>
References: <2F2286E3-7717-4E8F-B1EA-B2E4155F7C17@cisco.com> <CACsn0ckzA9hd3+zTH5FNNBbPAQqUqaXD8_Z35a8vKEG6WjXbTg@mail.gmail.com> <53edda7bf2804289817f54a8c2ecce33@BY2PR03MB074.namprd03.prod.outlook.com> <2A0EFB9C05D0164E98F19BB0AF3708C711E42D63D8@USMBX1.msg.corp.akamai.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 13 Dec 2013 09:23:49 +0800
Message-ID: <CABcZeBNPWZfnO4vdB9gbpf8nU9E5R=PO+gcsY9Vy6qxFukYPBg@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] TLS Charter Revision
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Dec 2013 01:24:40 -0000
On Thu, Dec 12, 2013 at 11:22 PM, Salz, Rich <rsalz@akamai.com> wrote: > I agree with Marsh that PFS should be included. Can you elaborate more on this? TLS already supports PFS, so are you arguing we should maintain that support or that we should strip out all non-PFS cipher suites (see the thread on static RSA...) > I am concerned about the 'political' emphasis on reducing round trips. One of the arguments heard I hear against 'https everywhere' is that the extra round-trips' cause too much latency and impact customer's web experience. If we can work to reduce RTT without sacrificing security, then that's great and I would like to see "while maintaining security features" or some such added. I have no problem with that. I would have thought it went without saying but I'm more than happy to have us say it. > I would like to add a bullet that says backward compatibility with previous versions is not a requirement. Given all that downgrade fallback issues that continually arise here, we should strongly consider if the right thing to do is just break the chain. I think this is actually backwards: it's precisely having some sort of secure backward negotiation that allows for clean deployment. The problem is that people have screwed up those mechanisms. If we just do a clean break there is no chance that secure version detection will work. -Ekr > /r$ > > -- > Principal Security Engineer > Akamai Technology > Cambridge, MA > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] TLS Charter Revision Joseph Salowey (jsalowey)
- Re: [TLS] TLS Charter Revision Daniel Kahn Gillmor
- Re: [TLS] TLS Charter Revision Watson Ladd
- Re: [TLS] TLS Charter Revision Marsh Ray
- Re: [TLS] TLS Charter Revision Watson Ladd
- Re: [TLS] TLS Charter Revision Trevor Perrin
- Re: [TLS] TLS Charter Revision Nikos Mavrogiannopoulos
- Re: [TLS] TLS Charter Revision Martin Thomson
- Re: [TLS] TLS Charter Revision Mohamad Badra
- Re: [TLS] TLS Charter Revision Stephen Farrell
- Re: [TLS] TLS Charter Revision Joseph Salowey (jsalowey)
- Re: [TLS] TLS Charter Revision Yaron Sheffer
- Re: [TLS] TLS Charter Revision Stephen Farrell
- Re: [TLS] TLS Charter Revision Yoav Nir
- Re: [TLS] TLS Charter Revision Hovav Shacham
- Re: [TLS] TLS Charter Revision Salz, Rich
- Re: [TLS] TLS Charter Revision Michael Sweet
- Re: [TLS] TLS Charter Revision Patrick McManus
- Re: [TLS] TLS Charter Revision Michael Sweet
- Re: [TLS] TLS Charter Revision Eric Rescorla
- Re: [TLS] TLS Charter Revision Salz, Rich
- Re: [TLS] TLS Charter Revision Watson Ladd
- Re: [TLS] TLS Charter Revision Brian Smith
- Re: [TLS] TLS Charter Revision Salz, Rich
- Re: [TLS] TLS Charter Revision Marsh Ray
- Re: [TLS] TLS Charter Revision Joseph Salowey (jsalowey)
- Re: [TLS] TLS Charter Revision Rene Struik
- Re: [TLS] TLS Charter Revision Sean Turner