Re: [TLS] SCSV vs RI when both specified - consensus?

Michael D'Errico <mike-list@pobox.com> Mon, 21 December 2009 20:56 UTC

Return-Path: <mike-list@pobox.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A5AD33A6881 for <tls@core3.amsl.com>; Mon, 21 Dec 2009 12:56:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.55
X-Spam-Level:
X-Spam-Status: No, score=-2.55 tagged_above=-999 required=5 tests=[AWL=0.049, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J2BYfqS8mTlO for <tls@core3.amsl.com>; Mon, 21 Dec 2009 12:56:20 -0800 (PST)
Received: from sasl.smtp.pobox.com (a-pb-sasl-quonix.pobox.com [208.72.237.25]) by core3.amsl.com (Postfix) with ESMTP id A8C683A67EA for <tls@ietf.org>; Mon, 21 Dec 2009 12:56:19 -0800 (PST)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 510C58AC22 for <tls@ietf.org>; Mon, 21 Dec 2009 15:56:03 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=0rGw1Vy97z/G 8EOt1I9XD63wFGQ=; b=CkFzqaH7/1oASZ2RHqwKUomo++ozwZEX48+NNH42N+T/ gwjE85oyQ+0lmsraA4hQcsAa/NcMIxK4godOwrLXwzTUSGE2l3p76fKEoCCoHUPw IIRcKulEZ1IeGs7Mj83+zC629qQ37mTfP0OMungIByseykpzlDp3ciw342dk8wk=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=oYtadS CjJyoj1gc/mqIbbNFo4r2b/oXJmMQQSkip0qfM3ZSdQVPDNMStl0C+rWXQtdPEBa 7/0ARCTbjBz1nGjSqx0GRGFpArQg5Xp6fvGOo6UFIA4DVKCsUnZv5yUphGFPec5n UyjDYza6U+ksH4+khaTR6KcH8Mo9fF7MSa100=
Received: from a-pb-sasl-quonix. (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 4DDBA8AC21 for <tls@ietf.org>; Mon, 21 Dec 2009 15:56:03 -0500 (EST)
Received: from administrators-macbook-pro.local (unknown [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTPSA id C5EF28AC20 for <tls@ietf.org>; Mon, 21 Dec 2009 15:56:02 -0500 (EST)
Message-ID: <4B2FE15B.1050704@pobox.com>
Date: Mon, 21 Dec 2009 12:58:03 -0800
From: Michael D'Errico <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: tls@ietf.org
References: <90E934FC4BBC1946B3C27E673B4DB0E4A7EE854018@LLE2K7-BE01.mitll.ad.local> <808FD6E27AD4884E94820BC333B2DB7758409B30F1@NOK-EUMSG-01.mgdnok.nokia.com> <4B2FAAFB.5090908@pobox.com> <4B2FB265.5040203@drh-consultancy.demon.co.uk> <4B2FB68C.1000400@pobox.com> <4B2FB80E.8080300@extendedsubset.com>
In-Reply-To: <4B2FB80E.8080300@extendedsubset.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Pobox-Relay-ID: 402A93CE-EE73-11DE-BC15-DC0DEE7EF46B-38729857!a-pb-sasl-quonix.pobox.com
Subject: Re: [TLS] SCSV vs RI when both specified - consensus?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Dec 2009 20:56:21 -0000

Marsh Ray wrote:
> 
> Is everybody OK with this wording? (it's the more lenient choice):
> 
>> Clients MUST NOT put multiple occurrences of an RI extension in the
>> same Client Hello message. A client MAY specify the SCSV in the same
>> Client Hello message as an RI extension (the SCSV will be effectively
>> ignored).
>>
>> A server receiving a Client Hello containing multiple RI extensions
>> MUST generate a fatal "decode_error" alert and terminate the
>> connection. A server receiving a Client Hello containing the SCSV
>> and an RI extension is to interpret the RI as usual and ignore the
>> SCSV.

As Nasko pointed out, we don't need to talk about multiple RI extensions.
So this could collapse into something like:

   Clients MAY send SCSV in all ClientHellos, even when also sending
   an RI extension (either empty or containing data).  Servers MUST
   ignore SCSV when the client has also sent RI.

> We'll have to fix the conflict with the current:
>> This SCSV is not a true cipher suite and cannot be negotiated. It
>> merely has exactly the same semantics as an empty "renegotiation_info"
>> extension.
> 
> to something like:
>> This SCSV is not a true cipher suite and cannot be negotiated, it
>> has similar semantics as an empty "renegotiation_info" extension.

Perhaps:

   This SCSV is not a true cipher suite and cannot be negotiated; a
   server that encounters SCSV but not RI MUST proceed exactly as if
   an empty RI extension had been received.

Mike