Re: [TLS] PR for anti-downgrade mechanism
Dave Garrett <davemgarrett@gmail.com> Sat, 10 October 2015 02:44 UTC
Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69E8D1B5356 for <tls@ietfa.amsl.com>; Fri, 9 Oct 2015 19:44:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yybi2NtOoNrE for <tls@ietfa.amsl.com>; Fri, 9 Oct 2015 19:44:58 -0700 (PDT)
Received: from mail-qg0-x229.google.com (mail-qg0-x229.google.com [IPv6:2607:f8b0:400d:c04::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 281DA1B5352 for <tls@ietf.org>; Fri, 9 Oct 2015 19:44:58 -0700 (PDT)
Received: by qgew37 with SMTP id w37so25537819qge.0 for <tls@ietf.org>; Fri, 09 Oct 2015 19:44:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:references:in-reply-to:mime-version :content-type:content-transfer-encoding:message-id; bh=lRKmMMBd33PoYWe9zNENIakh5PQdxdnYi1JkudS9KEM=; b=d/4BY0Bl7tH8JhtvtqZj2oasHDGARTbUDzaN+DYbuj8jYO1ltcH/sgfSQulHwfFPV8 x5c01Bta2OJ9JHzmG6GtPMz073BP+jxdutCqJEfsgCgdbuJk3PdpWAYSRkOWNVTcoBp1 8QtYJ4MSSQwOpb470UcsywEC46NEhUAKLnQJqDAfjBbI5omCBMGXV2Xcy+02GC5nBRcH tp2UbDqrbnXMhZMRd8tGTeFAeSFE6Fhr7JBr7WItwAMOcMFswUjR+KA47nb4lm9pnOyL yDomycmsiIywzfo/1ckv0RZfYLwl/Xc38M0fNX/xXPN3j5VRN0pZWCanEmb3moPQrL4e xjrg==
X-Received: by 10.140.235.216 with SMTP id g207mr19990799qhc.98.1444445097375; Fri, 09 Oct 2015 19:44:57 -0700 (PDT)
Received: from dave-laptop.localnet (pool-72-94-152-197.phlapa.fios.verizon.net. [72.94.152.197]) by smtp.gmail.com with ESMTPSA id 89sm2017191qgf.43.2015.10.09.19.44.56 for <tls@ietf.org> (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 09 Oct 2015 19:44:56 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: tls@ietf.org
Date: Fri, 09 Oct 2015 22:44:55 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <CABcZeBOB9mnQ8bLOCSysnx9LMv0hxrPCA21jTnxAMb3Yom_Aow@mail.gmail.com> <CAFewVt6yin3NhkcLuJfXVy7RKuyPY+7+P4h1fKAyVtAZdpjBfQ@mail.gmail.com> <D22E3AD8-19A1-4CAF-987B-349CE6961284@gmail.com>
In-Reply-To: <D22E3AD8-19A1-4CAF-987B-349CE6961284@gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <201510092244.55467.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/n87zdlpkTmyBkLKFZyM-Jx0j_gI>
Subject: Re: [TLS] PR for anti-downgrade mechanism
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Oct 2015 02:44:59 -0000
There is one problem with the current proposed sentinel value, 0x030403040304. It limits what can be done with future versions. It's not as simple as just making that use 0x030503050305, because we want 1.3 clients to be able to recognize sentinel values from all future versions, not just this one. Thus, for future proofing, (just) using the version number isn't a great idea. It's probably safest to just pick one static value and be done with it forever.
And now, for my proposed bikeshed color:
0x0b501e7e5e1ec7ed
("obsoleteselected"; 64-bit value)
I'd like to say I was clever enough to come up with neat hex words, but I Googled for a list and found 2 to put together. ;)
Dave
- [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Karthikeyan Bhargavan
- Re: [TLS] PR for anti-downgrade mechanism Yngve N. Pettersen
- Re: [TLS] PR for anti-downgrade mechanism Karthikeyan Bhargavan
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Short, Todd
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Salz, Rich
- Re: [TLS] PR for anti-downgrade mechanism Brian Smith
- Re: [TLS] PR for anti-downgrade mechanism Karthikeyan Bhargavan
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Brian Smith
- Re: [TLS] PR for anti-downgrade mechanism Martin Thomson
- Re: [TLS] PR for anti-downgrade mechanism Brian Smith
- Re: [TLS] PR for anti-downgrade mechanism Martin Thomson
- Re: [TLS] PR for anti-downgrade mechanism Brian Smith
- Re: [TLS] PR for anti-downgrade mechanism Karthikeyan Bhargavan
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Martin Thomson
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Short, Todd
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism David Benjamin
- Re: [TLS] PR for anti-downgrade mechanism Martin Thomson
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Christian Huitema
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Christian Huitema
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Christian Huitema
- Re: [TLS] PR for anti-downgrade mechanism Colm MacCárthaigh
- Re: [TLS] PR for anti-downgrade mechanism Colm MacCárthaigh
- Re: [TLS] PR for anti-downgrade mechanism Joseph Salowey