Re: [TLS] Metadiscussion on changes in draft-ietf-tls-renegotiation

Nikos Mavrogiannopoulos <nmav@gnutls.org> Wed, 27 January 2010 07:33 UTC

Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7DE4D3A6A14; Tue, 26 Jan 2010 23:33:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u+3fDJrz9a2V; Tue, 26 Jan 2010 23:32:59 -0800 (PST)
Received: from mail-pw0-f50.google.com (mail-pw0-f50.google.com [209.85.160.50]) by core3.amsl.com (Postfix) with ESMTP id C09A53A681F; Tue, 26 Jan 2010 23:32:59 -0800 (PST)
Received: by pwi20 with SMTP id 20so3866179pwi.29 for <multiple recipients>; Tue, 26 Jan 2010 23:33:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type; bh=2V+4jk6hDOZLseaZIUJvXWfXy7uK04PkIYyoFdqcmss=; b=hDzm/3UFXCbomGv4Zx1qUU1UUuaaHc0WnmkuYeZiGZWylRr/d8tNGy8bmY11QpDnoK dRveC2Aiqftmyfia2BDL29Zx7OPNuQnNaOQk/wbtuVOKhiMzLT9MtHdNGQ7DRuqV+BFB tNjCHZBJckqq961MSx4vg8XnLgjuxrx/Seyek=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=XKJ5Dfn1buOTTln2F1iHUoj8KIcrsqAvWLVZSMMmcafEKq645ub0ZRqc21VANrJFiA T78gxeT6rbJ5FmCq6WUZTAqWHqOBGPN3Bv7WPS6UI1LeMxmIhPUJcu6c+wvFxQvzCbCj BI9VwMqKpjUxpud71U8xdmA5bWBPrwU+sSMr0=
MIME-Version: 1.0
Sender: n.mavrogiannopoulos@gmail.com
Received: by 10.114.214.28 with SMTP id m28mr6313514wag.227.1264577590143; Tue, 26 Jan 2010 23:33:10 -0800 (PST)
In-Reply-To: <201001270005.o0R05dX8018122@fs4113.wdf.sap.corp>
References: <E1NZvE3-0005m4-Qw@wintermute02.cs.auckland.ac.nz> <201001270005.o0R05dX8018122@fs4113.wdf.sap.corp>
Date: Wed, 27 Jan 2010 08:33:10 +0100
X-Google-Sender-Auth: ca7789d66fc3e088
Message-ID: <c331d99a1001262333n1c369dd3qec421542004bed97@mail.gmail.com>
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
To: mrex@sap.com
Content-Type: text/plain; charset=ISO-8859-1
Cc: tls@ietf.org, ietf@ietf.org
Subject: Re: [TLS] Metadiscussion on changes in draft-ietf-tls-renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jan 2010 07:33:00 -0000

On Wed, Jan 27, 2010 at 1:05 AM, Martin Rex <mrex@sap.com>; wrote:

>> <aside>That's been the standard for PKIX RFCs for at least ten years
>> (actively acknowledged by WG mmembers), although perhaps its spread
>> to other groups should be discouraged.</aside>
>
> I fully agree.
>
> That may be attributed to the fact that a large part of PKIX is dealing
> with policy issues with the objective to prevent/prohibit interoperability.

On the contrary. I believe allowing the sending of both SCSV and extension
might harm interoperability instead. Consider the case of most popular client
implementations are sending both SCSV and extension (it's easier to do so).
A developer of a server might then consider checking only for SCSV (since all
of the popular ones he tested with send both). Thus interoperability with less
popular clients that only send extension stops.

This scenario might not be very likely, but this kind of issues were
not rare in
TLS for quite long :)

best regards,
Nikos