Re: [TLS] Analysis of Interop scenarios TLS extension RI w/MCSV

Nelson B Bolyard <nelson@bolyard.me> Fri, 11 December 2009 02:39 UTC

Return-Path: <nelson@bolyard.me>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 09AA13A68D6 for <tls@core3.amsl.com>; Thu, 10 Dec 2009 18:39:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.523
X-Spam-Level:
X-Spam-Status: No, score=-2.523 tagged_above=-999 required=5 tests=[AWL=0.076, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n6q7ehAEu09L for <tls@core3.amsl.com>; Thu, 10 Dec 2009 18:39:49 -0800 (PST)
Received: from p3plsmtpa01-01.prod.phx3.secureserver.net (p3plsmtpa01-01.prod.phx3.secureserver.net [72.167.82.81]) by core3.amsl.com (Postfix) with SMTP id 3233C3A68C1 for <tls@ietf.org>; Thu, 10 Dec 2009 18:39:49 -0800 (PST)
Received: (qmail 7457 invoked from network); 11 Dec 2009 02:39:36 -0000
Received: from unknown (24.5.142.42) by p3plsmtpa01-01.prod.phx3.secureserver.net (72.167.82.81) with ESMTP; 11 Dec 2009 02:39:35 -0000
Message-ID: <4B21B0E8.1080702@bolyard.me>
Date: Thu, 10 Dec 2009 18:39:36 -0800
From: Nelson B Bolyard <nelson@bolyard.me>
Organization: Network Security Services
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9.1b1pre) Gecko/20081004 NOT Firefox/2.0 SeaMonkey/2.0a2pre
MIME-Version: 1.0
To: tls@ietf.org
References: <200912101613.nBAGD3X2016314@fs4113.wdf.sap.corp> <4B216FD0.7060801@extendedsubset.com>
In-Reply-To: <4B216FD0.7060801@extendedsubset.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] Analysis of Interop scenarios TLS extension RI w/MCSV
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2009 02:39:50 -0000

On 2009-12-10 14:01 PST, Marsh Ray wrote:
> Martin Rex wrote:
>> Marsh Ray wrote:
>>> That is interesting information. Would you happen to have a copy of the
>>> last "official" spec you can send me?
>> Netscape's official SSLv3 spec as of 2005:
>> http://web.archive.org/web/20050207004652/wp.netscape.com/eng/ssl3/3-SPEC.HTM
> 
> Thanks.
> 
> That's pretty clear, SSLv3 did not have a provision for extending Client
> Hello.
> 
>> As obvious from it's name that spec is a product of the TLS WG and
>> the TLS WG decided to completely abandon (instead of publishing as
>> informational RFC) that document so that it expired and vanished
>> from the I-D repository 6 month later.
> 
> Seems like SSLv3 was simultaneously one of the most critical protocols
> for net security and orphaned.

Stop right there.  Don't be led down the garden path.

Look at the parent page.  Look at
http://web.archive.org/web/20050205162914/wp.netscape.com/eng/ssl3/

It clearly says that "The most recent Draft SSL 3.0 specification, an
Internet Draft dated November 1996, may be viewed here. It is an ASCII
document".  It is a link to http://wp.netscape.com/eng/ssl3/draft302.txt
which is draft-freier-ssl-version3-02.txt, now seen at
http://www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt

That parent page also says:  "The previous draft of the SSL 3.0
Specification, dated March 1996, may be viewed in this HTML document."
which is a link to
http://web.archive.org/web/20050206124632/wp.netscape.com/eng/ssl3/ssl-toc.html
which in turn has a link to the page Martin cited above.

You'll find my name in some of those pages, too.  Don't let a non-Netscape
person tell you what was, and what was not "official" at Netscape.

Netscape never orphaned 3.0.  It kept the "most recent draft" alive for
the rest of its days, and is still kept alive today at Mozilla.org, which
runs NSS code which is a direct descendant of Netscape's original code.