Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00

Florian Weimer <fweimer@redhat.com> Wed, 15 October 2014 08:17 UTC

Return-Path: <fweimer@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94ED11A04BA for <tls@ietfa.amsl.com>; Wed, 15 Oct 2014 01:17:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xwCAFLTIPDMy for <tls@ietfa.amsl.com>; Wed, 15 Oct 2014 01:17:11 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 432FC1A0470 for <tls@ietf.org>; Wed, 15 Oct 2014 01:17:11 -0700 (PDT)
Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s9F8H9ni009943 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for <tls@ietf.org>; Wed, 15 Oct 2014 04:17:09 -0400
Received: from oldenburg.str.redhat.com (ovpn-116-46.ams2.redhat.com [10.36.116.46]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s9F8H6Wf019672 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for <tls@ietf.org>; Wed, 15 Oct 2014 04:17:08 -0400
Message-ID: <543E2D81.1050700@redhat.com>
Date: Wed, 15 Oct 2014 10:17:05 +0200
From: Florian Weimer <fweimer@redhat.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1
MIME-Version: 1.0
To: tls@ietf.org
References: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com>
In-Reply-To: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/jISXgrWVuTZaen_aEyAuxhauU_o
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Oct 2014 08:17:12 -0000

On 09/26/2014 06:00 AM, Joseph Salowey (jsalowey) wrote:
> This is an announcement for the working group last call for draft-ietf-tls-downgrade-scsv-00.  Please review the document and send your comments to the list by Friday, October 17, 2014.

I'm strongly against this proposal.  It severely punishes those who have 
correctly implemented the protocol all along by forcing them to upgrade 
their code base, for the benefit of those who fail to interoperate (or 
who want to interoperate with those who fail).

We need to get rid of broken implementation, not cater to them 
indefinitely.  With this mindset of unlimited workarounds, no protocol 
versioning mechanism (including the one proposed here) will ever work 
securely because implementations will be forced by overriding concerns 
to ignore protocol failures, against better judgment.

-- 
Florian Weimer / Red Hat Product Security