Re: [TLS] Quest for Unified Solution to TLS Renegotiation

David-Sarah Hopwood <david-sarah@jacaranda.org> Sat, 28 November 2009 18:26 UTC

DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:content-type; b=j566ZmCgB47qLvelMVCgkjvIsLG/8I9urceMONicA06mB1oTcm7d1hAIk6JEmrBrD3 aaFKMfv+A3aPL3uD2JpKX7aUYuqVNjn/dbPT0L9usaezvsmQJuOHrVS0Ysh1d/3s1ggC sDX2vmA57SdeASjGeAh6kcVvRT4oVqcrAQ+Wg=
Sender: David-Sarah Hopwood <djhopwood@googlemail.com>
Message-ID: <4B116B4C.1070309@jacaranda.org>
Date: Sat, 28 Nov 2009 18:26:20 +0000
From: David-Sarah Hopwood <david-sarah@jacaranda.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.3) Gecko/20070326 Thunderbird/2.0.0.0 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: tls@ietf.org
References: <4B0D9B94.9080205@pobox.com> <20091125225408.42FB96C3288@kilo.networkresonance.com> <6b9359640911280322w32974bd9u6b791ede79260d5c@mail.gmail.com>
In-Reply-To: <6b9359640911280322w32974bd9u6b791ede79260d5c@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------enig8C967B73868E220F3C0FF8C4"
Subject: Re: [TLS] Quest for Unified Solution to TLS Renegotiation
Precedence: list

Kyle Hamilton wrote:
> A) Secure Renegotiation Indicator TLS extension.
> B) Magic cipher_suite.
> C) Bit-fiddled version identifiers.
> 
> We are constrained by the following:
> 
> 1) The mechanism for signalling must not screw up the protocol steps
> for unpatched libraries.
> 2) The mechanism for signalling must be backward-compatible to SSLv3
> (this is my interpretation of what the Area Director stated; please
> correct me if I am wrong).
> 
> Because of constraint number 2, option A cannot be the mandated
> mechanism for the client to signal the server that it supports
> renegotiation continuity.

That's not correct. Option A for S->C signalling works fine in SSLv3.
In the case where the server does not already support extensions, it's
just appending a fixed octet string to the ServerHello, so it is no
more difficult to implement than any other option.

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

Attachment: signature.asc

[TLS] Quest for Unified Solution to TLS Renegotia… Michael D'Errico
Re: [TLS] Quest for Unified Solution to TLS Reneg… Marsh Ray
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Stefan Santesson
Re: [TLS] Quest for Unified Solution to TLS Reneg… Eric Rescorla
Re: [TLS] Quest for Unified Solution to TLS Reneg… Hovav Shacham
Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
Re: [TLS] Quest for Unified Solution to TLS Reneg… Eric Rescorla
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Yoav Nir
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
Re: [TLS] Quest for Unified Solution to TLS Reneg… Marsh Ray
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… Stephen Farrell
Re: [TLS] Quest for Unified Solution to TLS Reneg… Yoav Nir
Re: [TLS] Quest for Unified Solution to TLS Reneg… Nelson B Bolyard
Re: [TLS] Quest for Unified Solution to TLS Reneg… Nelson B Bolyard
Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… Kyle Hamilton
Re: [TLS] Quest for Unified Solution to TLS Reneg… Eric Rescorla
Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood

Re: [TLS] Quest for Unified Solution to TLS Renegotiation

Attachment: signature.asc