IETF Logo Mail Archive

Re: [TLS] PR for anti-downgrade mechanism

Christian Huitema <huitema@microsoft.com> Tue, 10 November 2015 00:54 UTC

Return-Path: <huitema@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96BDB1B2B9E for <tls@ietfa.amsl.com>; Mon, 9 Nov 2015 16:54:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id frGu8AV2mi1s for <tls@ietfa.amsl.com>; Mon, 9 Nov 2015 16:54:28 -0800 (PST)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0102.outbound.protection.outlook.com [65.55.169.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6CC0A1B2B8C for <tls@ietf.org>; Mon, 9 Nov 2015 16:54:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=jY89iudhDPHihrcmp2KHRCzre6TJlLbo12TN7N7N2Cs=; b=IWUVqBzgXatipWBrVg+Q2ih1lp7DSr0VW4iszl1rQOWRMYG6nTJLsOz1DIde8wn8tf5m+EZ6wn5ALKjSiYlFzoWDWkF/dY/zcqBUPW/dx8WN5de4fupo3IVr3KLoY59CkIni+yeeMJypFQjnJ1gYFKJKO2QsvxPTnu/H+5553WY=
Received: from DM2PR0301MB0655.namprd03.prod.outlook.com (10.160.96.17) by DM2PR0301MB0654.namprd03.prod.outlook.com (10.160.96.16) with Microsoft SMTP Server (TLS) id 15.1.318.15; Tue, 10 Nov 2015 00:54:25 +0000
Received: from DM2PR0301MB0655.namprd03.prod.outlook.com ([10.160.96.17]) by DM2PR0301MB0655.namprd03.prod.outlook.com ([10.160.96.17]) with mapi id 15.01.0318.003; Tue, 10 Nov 2015 00:54:25 +0000
From: Christian Huitema <huitema@microsoft.com>
To: Eric Rescorla <ekr@rtfm.com>
Thread-Topic: [TLS] PR for anti-downgrade mechanism
Thread-Index: AQHRAo2XH3FLVO3qjUqf9pv0XfX2g55jwgYAgAAnWQCACqFpAIAAC9CAgAAJyQCAABn0AIAABjIAgACDCoCAAMyMgIAABv+AgAAA0ACAAAHkAIAAIPYAgAACZICAAATsAIAABXSAgAADTwCAAAEugIAAAhuAgAAAuACAAAv4AIACl4gAgAAIlACAACCMAIAhctoAgAAD/tCAAAeaAIAAAKgggAACMgCAAADXwA==
Date: Tue, 10 Nov 2015 00:54:25 +0000
Message-ID: <DM2PR0301MB0655BCFAD6E0FA307A8613BFA8140@DM2PR0301MB0655.namprd03.prod.outlook.com>
References: <CABcZeBOB9mnQ8bLOCSysnx9LMv0hxrPCA21jTnxAMb3Yom_Aow@mail.gmail.com> <201510171708.16547.davemgarrett@gmail.com> <CABcZeBOzJkdjC-NnjPcHtoU_6rmEMPqj4Y7xKuA=CHZLT9r49w@mail.gmail.com> <201510171734.26589.davemgarrett@gmail.com> <CABcZeBNFvUN6KOpzGO5_tPU9dqbJ8q=k_CaqmkjeCR_hS2RCOg@mail.gmail.com> <20151017220548.GF15070@mournblade.imrryr.org> <CABcZeBPhmq+0k8gVs9FcZ6T-_SehqrWkL0BzkB5z8=DgXy1Saw@mail.gmail.com> <20151017221733.GG15070@mournblade.imrryr.org> <CABcZeBOew4DTOzj1Q=G9_o87SjH-hF85VWmz1U38P1WedjkuYg@mail.gmail.com> <20151017230257.GI15070@mournblade.imrryr.org> <84C5B67D-F236-4BFD-AA13-5CC13062B8C5@akamai.com> <CABcZeBMn9=H3A2EpQonB1rM5ApZ68hzdNHRQf6NOU+7C6_iiiA@mail.gmail.com> <CABkgnnVRO56392s068xeB_Lnn6qoVu_MBbwWRcKe=p8YPQ2RUw@mail.gmail.com> <CABcZeBNKetQrBbKR3pSOawg_OyTa8cHsHXjuAUq4Yu4F2d0tcA@mail.gmail.com> <DM2PR0301MB0655C9C3CD6063C093364C04A8140@DM2PR0301MB0655.namprd03.prod.outlook.com> <CABcZeBNsxdKStRTT6EGJ7f0W=1tD1fAqsiL84OECvRbJsFGC1Q@mail.gmail.com> <DM2PR0301MB065557FA191E0256A2E6BD27A8140@DM2PR0301MB0655.namprd03.prod.outlook.com> <CABcZeBMgZdEpH5Y5x676hJpk_nKvxwC3i9BHTYqvLML+8Rhaqw@mail.gmail.com>
In-Reply-To: <CABcZeBMgZdEpH5Y5x676hJpk_nKvxwC3i9BHTYqvLML+8Rhaqw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=huitema@microsoft.com;
x-originating-ip: [131.107.174.75]
x-microsoft-exchange-diagnostics: 1; DM2PR0301MB0654; 5:djkFYwm5PuQaBaawASamYGH5aTWbC+lAbGnGIOZCFZBgYtnrmY7fyvc/LxGslDKKiERHBtH2pkH5Lcd76JQWkRPIAjiViYsSqfTJvqWpJGGByRvKPLSigULtqxQx9LjMj1G+yPdj2s1ERtWM2zybKQ==; 24:TYsvfZugnpgUbIrqpim5yRNr9zAPpA/mxyq4Bvhx3WACTDS4Ue63MtPivy2n97L1iNxbXnkcLWNb7jaVhOfQOhXJ7ehqzcIgz7lOIHHI1qA=; 20:gE4a+N9wUa+Hl0CyIMap4B10ZQP4nTiPZosEo1fpcAldmY4LNStS2jt6zQAtUnPMxa/6XMsAxJ0Wc1xjVU1SgQ==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR0301MB0654;
x-o365eop-header: O365_EOP: Allow for Unauthenticated Relay
x-o365ent-eop-header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
x-microsoft-antispam-prvs: <DM2PR0301MB0654690085371DF00C871D8EA8140@DM2PR0301MB0654.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(108003899814671);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425024)(601004)(2401047)(520078)(5005006)(8121501046)(3002001)(10201501046)(61426024)(61427024); SRVR:DM2PR0301MB0654; BCL:0; PCL:0; RULEID:; SRVR:DM2PR0301MB0654;
x-forefront-prvs: 07562C22DA
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(24454002)(189002)(199003)(377454003)(11100500001)(8990500004)(81156007)(5004730100002)(105586002)(74316001)(101416001)(97736004)(5002640100001)(110136002)(189998001)(93886004)(92566002)(76576001)(5001960100002)(19580405001)(19580395003)(5008740100001)(50986999)(33656002)(99286002)(86612001)(122556002)(106116001)(106356001)(40100003)(54356999)(76176999)(87936001)(86362001)(5007970100001)(66066001)(5003600100002)(10290500002)(5005710100001)(10400500002)(10090500001)(77096005)(102836002)(2950100001)(2900100001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0301MB0654; H:DM2PR0301MB0655.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Nov 2015 00:54:25.2431 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0301MB0654
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/sO3ohCWNETwPPmZsuwHnMpd64vU>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] PR for anti-downgrade mechanism
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2015 00:54:32 -0000

On Monday, November 9, 2015 4:44 PM, Eric Rescorla wrote:
> On Mon, Nov 9, 2015 at 4:41 PM, Christian Huitema <huitema@microsoft.com> wrote:
>> On Monday, November 9, 2015 4:34 PM, Eric Rescorla wrote:
>>> On Mon, Nov 9, 2015 at 4:30 PM, Christian Huitema <huitema@microsoft.com> wrote:
>...
>>>> Could you also add a reference to the document that specifies using 44 4F  57 4E 47 52
>>>> 44 00 by "TLS 1.2 servers which are  negotiating TLS 1.1 or below" ?
>>>
>>> We don't have one. Wasn't totally sure how to handle that.
>>
>> I suspected that. Spent sometimes looking for text in published RFC, 
>> could not find it. I suspect that many readers will fall in the same trap 
>> and lose some time. Could you add text explaining that this is an 
>> undocumented feature of some implementations, and that we are 
>> recommending its use? Or something to that effect...
>
> Worse, we just invented it. What about if I say "TLS 1.2 servers SHOULD..."

That would be better. There is however a question of "is this the right document." This is the spec for TLS 1.3 servers, so implementers of TLS 1.2 servers may or may not read it. This document "obsoletes 5246," so cannot really update it. Let see what you come up with...

-- Christian Huitema

v2.23.0 | Report a Bug | By Email