[TLS] To extend or not to extend
"Joseph Salowey (jsalowey)" <jsalowey@cisco.com> Sun, 15 November 2009 11:12 UTC
Return-Path: <jsalowey@cisco.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6E9833A6936 for <tls@core3.amsl.com>; Sun, 15 Nov 2009 03:12:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.662
X-Spam-Level:
X-Spam-Status: No, score=-6.662 tagged_above=-999 required=5 tests=[AWL=-0.062, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VCzBf3KW3sqL for <tls@core3.amsl.com>; Sun, 15 Nov 2009 03:12:31 -0800 (PST)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id 734803A68D4 for <tls@ietf.org>; Sun, 15 Nov 2009 03:12:31 -0800 (PST)
Authentication-Results: sj-iport-6.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApoEAJdw/0qrR7H+/2dsb2JhbAC7DZZnhDwE
X-IronPort-AV: E=Sophos;i="4.44,746,1249257600"; d="scan'208";a="433052333"
Received: from sj-core-2.cisco.com ([171.71.177.254]) by sj-iport-6.cisco.com with ESMTP; 15 Nov 2009 11:13:03 +0000
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-2.cisco.com (8.13.8/8.14.3) with ESMTP id nAFBD31Z018768 for <tls@ietf.org>; Sun, 15 Nov 2009 11:13:03 GMT
Received: from xmb-sjc-225.amer.cisco.com ([128.107.191.38]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Sun, 15 Nov 2009 03:13:03 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Sun, 15 Nov 2009 03:13:01 -0800
Message-ID: <AC1CFD94F59A264488DC2BEC3E890DE5091A760A@xmb-sjc-225.amer.cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: To extend or not to extend
Thread-Index: Acpl5Jg5KreSuv6HTUy/BpWTbGDRZA==
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: tls@ietf.org
X-OriginalArrivalTime: 15 Nov 2009 11:13:03.0216 (UTC) FILETIME=[99497F00:01CA65E4]
Subject: [TLS] To extend or not to extend
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Nov 2009 11:12:32 -0000
We need to close on this issue. To summarize the RI proposal (the draft submitted last week) has the following properties in various situations A. The RI proposal works fine if both client and server are patched. B. The RI proposal works fine if the client is not patched and the server is (the server ends up disabling re-negotiation). C. The RI proposal works fine if the client is patched and the server is not, if the server is implemented correctly. D. The RI proposal works fine if the client is patched and the server does not implement the SSL 3.0 and the TLS 1.x specs correctly (barf if they see an extension) and the client desires to implement an secure policy and disallows connections to non patched servers E. The RI proposal has an issue if the client is patched and the server does not implement the SSL 3.0 and the TLS 1.x specs correctly and the client as a lenient policy which allows connection to insecure servers. In this case the client would have to implement some fallback logic (reconnect without extensions) to deal with broken servers. This logic is well-known, but it leaves a roll-back attack open. This can be plugged by using the proposed ciphersuite signal only in the case where extensions cause a handshake or connection failure. The fallback cipher-suite signaling for RI to prevent rollback extends TLS in an unexpected way, but this is limited only to the case where we have to deal with broken implementations. Situation E is one that we expect to get less common because we want all implementations to get patched and clients may start requiring the fix because this is the only way they can protect themselves. The ciphersuite-changes-handshake proposal has similar properties except we expect that there are few broken servers that will barf on an unknown ciphersuite (Situation E). This proposal extends TLS in a non-standard place by having the presence of a specific ciphersuite act as a side channel to change the behavior of the TLS handshake for all current versions of TLS. I don't think this is something that we would want to promote in the future, the code to handle this would be "one-off" code. >From a functional point of view I don't see any difference between A) RI extension with option ciphersuite signal in the case of fallback for broken servers and B) ciphersuite-changes-handshake proposal. In TLS we have two standard ways of extending the functionality defined. One is extensions and one is the version number. Changing the version number is not really helpful at this point because it would require all systems to update to TLS 1.3 and its not clear that any of the situations above would change. Extensions are the way to extend the spec. Extensions are now part of the base specification and we want implementations to process extensions correctly even if they only support the RI fix. I think it comes down to whether we want to extend TLS in a standard way for compliant implementations with a non-standard fallback behavior for handling non-compliant implementations or extend TLS in a non-standard way for all implementations. The standard vs. non-standard is somewhat nonsensical because we can make something standard with IETF consensus, however this will have implications on implementations and future extensions moving forward. IMO, given that the two approaches are functionally equivalent I would prefer to extend things in the standard way.
- [TLS] To extend or not to extend Joseph Salowey (jsalowey)
- Re: [TLS] To extend or not to extend Eric Rescorla
- Re: [TLS] To extend or not to extend Bodo Moeller
- Re: [TLS] To extend or not to extend Martin Rex
- Re: [TLS] To extend or not to extend Nicolas Williams
- Re: [TLS] To extend or not to extend Nelson B Bolyard
- Re: [TLS] To extend or not to extend Nelson B Bolyard
- Re: [TLS] To extend or not to extend Bodo Moeller
- Re: [TLS] To extend or not to extend Nelson B Bolyard
- Re: [TLS] To extend or not to extend Bodo Moeller
- Re: [TLS] To extend or not to extend Joseph Salowey (jsalowey)
- Re: [TLS] To extend or not to extend Eric Rescorla