IETF Logo Mail Archive

Re: [TLS] Last Call: draft-ietf-tls-renegotiation (Transport Layer

Marsh Ray <marsh@extendedsubset.com> Thu, 03 December 2009 19:31 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 516AE28C168 for <tls@core3.amsl.com>; Thu, 3 Dec 2009 11:31:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.494
X-Spam-Level:
X-Spam-Status: No, score=-2.494 tagged_above=-999 required=5 tests=[AWL=0.105, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8kPMgKqjt5uP for <tls@core3.amsl.com>; Thu, 3 Dec 2009 11:31:35 -0800 (PST)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id 9043428C1A3 for <tls@ietf.org>; Thu, 3 Dec 2009 11:31:35 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1NGHOg-000MEh-Ia; Thu, 03 Dec 2009 19:31:26 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 65304603C; Thu, 3 Dec 2009 19:31:24 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1+nlSEW2GRAoHyKjwhu3FO+qIxNVWWm0Ys=
Message-ID: <4B181209.5090507@extendedsubset.com>
Date: Thu, 03 Dec 2009 13:31:21 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: mrex@sap.com, "tls@ietf.org" <tls@ietf.org>
References: <200912030225.nB32PHkW003916@fs4113.wdf.sap.corp>
In-Reply-To: <200912030225.nB32PHkW003916@fs4113.wdf.sap.corp>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] Last Call: draft-ietf-tls-renegotiation (Transport Layer
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2009 19:31:36 -0000

<flameSuit state="on">
	I'm thinking this is the only big sticking point left for
	draft-ietf-tls-renegotiation?
</flameSuit>

Martin Rex wrote:
>
> We do *NOT* need more than one signaling mechanism, so the use of
> MCSV needs to be a MUST and the use of an empty TLS extension RI
> on the initial ClientHello needs to be a SHOULD NOT.

I for one would like to see the day (say in TLS 1.7) when we no longer
need to send the MCSV on every Client Hello. It is, after all, a hack.

In order for this to ever be possible, we need servers from the first
implementation of this patch to accept and work with either the
extension or the MCSV.

The MCSV was a concession to those who needed, on occasion, to not send
any extensions. It sounds like the great majority of servers do not
break when sent extensions.

Modern browsers are sending the SNI extension, no need for the hack
there. Let them use the MCSV only for the (sigh) fall-back logic.

- Marsh

v2.23.0 | Report a Bug | By Email