IETF Logo Mail Archive

Re: [TLS] Next steps for draft-ietf-tls-renegotiation

Eric Rescorla <ekr@networkresonance.com> Mon, 30 November 2009 21:05 UTC

Return-Path: <ekr@networkresonance.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0DAF03A689A for <tls@core3.amsl.com>; Mon, 30 Nov 2009 13:05:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.061
X-Spam-Level:
X-Spam-Status: No, score=0.061 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PcYN0n35UbFz for <tls@core3.amsl.com>; Mon, 30 Nov 2009 13:04:59 -0800 (PST)
Received: from kilo.networkresonance.com (74-95-2-169-SFBA.hfc.comcastbusiness.net [74.95.2.169]) by core3.amsl.com (Postfix) with ESMTP id 379133A6894 for <tls@ietf.org>; Mon, 30 Nov 2009 13:04:59 -0800 (PST)
Received: from kilo.local (localhost [127.0.0.1]) by kilo.networkresonance.com (Postfix) with ESMTP id D8EA76C3EE1; Mon, 30 Nov 2009 13:05:55 -0800 (PST)
Date: Mon, 30 Nov 2009 13:05:54 -0800
From: Eric Rescorla <ekr@networkresonance.com>
To: Nicolas Williams <Nicolas.Williams@sun.com>
In-Reply-To: <20091130170745.GH773@Sun.COM>
References: <808FD6E27AD4884E94820BC333B2DB774F3118C3CA@NOK-EUMSG-01.mgdnok.nokia.com> <20091130170745.GH773@Sun.COM>
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20091130210555.D8EA76C3EE1@kilo.networkresonance.com>
Cc: tls@ietf.org
Subject: Re: [TLS] Next steps for draft-ietf-tls-renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Nov 2009 21:05:00 -0000

At Mon, 30 Nov 2009 11:07:45 -0600,
Nicolas Williams wrote:
> 
> On Fri, Nov 27, 2009 at 11:26:34PM +0100, Pasi.Eronen@nokia.com wrote:
> > <wearing Area Director hat>
> > 
> > I have asked the secretariat to start IETF Last Call for
> > draft-rescorla-tls-renegotiation-01.
> > 
> > I've gone through the list archives for the past month, and it seems a
> > large majority of the WG members support the overall approach in this
> > draft (with a small, but very vocal, minority preferring a totally
> > extension-less approach to signalling).
> 
> I don't think that's a fair nor complete characterization of the current
> differences of opinion.  A more complete and correct characterization
> might be:
> 
>  - The RI proposal has a fail-unsafe requirement that peers check the
>    contents of the extensions sent.
> 
>    NOTE: A fix for this wouldn't require an extension-less signalling
>          solution.
> 
>    [IMO: This is serious objection that goes beyond protocol design
>          aesthetics or ease of retrofitting for SSLv3.  I think we can
> 	 live without a fix for this problem, but I'd much rather have a
> 	 fail-safe solution.]

I don't really agree that this is a serious objection. As I said
earlier, the security of TLS requires that the peer behave correctly
in a variety of unobservable ways. If it doesn't, we have far
more serious security problems than this (in particular, in order
for the failure you're concerned about to occur, this failure
requires *both* sides to be incorrectly implemented, whereas there
are plenty of issues that can be created by merely one side being
incorrect).

Moreover, there *are* implementation errors where the various proposed
alternative signalling mechanisms can go wrong as well, as our discussion
over the past few days indicates. So I can't even agree with the
characterization of this issue as "fail-safe" versus "fail-unsafe".
Rather, each solution is subject to different kinds of implementation
screwups. I don't find the argument that the screwups you can
make with RI are somehow easier to be particularly convincing.

Moreover, if you're really concerned about TLS being safe in the face
of implementation errors, you should worry about designing mechanisms
that are safe in the face of PRNG failure, seeing as we've seen at
least two such errors in live TLS stacks.

-Ekr

v2.23.0 | Report a Bug | By Email