IETF Logo Mail Archive

Re: [TLS] Next steps for draft-ietf-tls-renegotiation

Stefan Santesson <stefan@aaa-sec.com> Mon, 30 November 2009 17:55 UTC

Return-Path: <stefan@aaa-sec.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 58B0128C0D8 for <tls@core3.amsl.com>; Mon, 30 Nov 2009 09:55:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.231
X-Spam-Level:
X-Spam-Status: No, score=-2.231 tagged_above=-999 required=5 tests=[AWL=0.018, BAYES_00=-2.599, HELO_EQ_SE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8K63Fl6PyaY9 for <tls@core3.amsl.com>; Mon, 30 Nov 2009 09:55:41 -0800 (PST)
Received: from s87.loopia.se (s87.loopia.se [194.9.95.114]) by core3.amsl.com (Postfix) with ESMTP id 6E3603A6916 for <tls@ietf.org>; Mon, 30 Nov 2009 09:55:41 -0800 (PST)
Received: from s128.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id 2AB3C29157B for <tls@ietf.org>; Mon, 30 Nov 2009 18:55:38 +0100 (CET)
Received: (qmail 85486 invoked from network); 30 Nov 2009 17:55:30 -0000
Received: from 213-64-142-247-no153.business.telia.com (HELO [192.168.1.3]) (stefan@fiddler.nu@[213.64.142.247]) (envelope-sender <stefan@aaa-sec.com>) by s128.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for <Nicolas.Williams@sun.com>; 30 Nov 2009 17:55:30 -0000
User-Agent: Microsoft-Entourage/12.23.0.091001
Date: Mon, 30 Nov 2009 18:55:26 +0100
From: Stefan Santesson <stefan@aaa-sec.com>
To: Nicolas Williams <Nicolas.Williams@sun.com>, Pasi.Eronen@nokia.com
Message-ID: <C739C59E.6CFE%stefan@aaa-sec.com>
Thread-Topic: [TLS] Next steps for draft-ietf-tls-renegotiation
Thread-Index: Acpx5ku0b1RRqfqKEEmqAoMecVQ0gA==
In-Reply-To: <20091130170745.GH773@Sun.COM>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] Next steps for draft-ietf-tls-renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Nov 2009 17:55:42 -0000

Nico,

I think your characterization is very good.
And I would also much rather have a fail-safe solution.

As you say, no approach today is totally extension less, so the big
difference remaining IMO is:

1) The fail-unsafe approach based on sending verify_data in extensions.

2) The Fail-safe approach based on injecting varify_data into the handshake
hash calculation, but not sending them over the wire. (This approach uses
extensions for signaling but with absent data)

Everything else is more or less the same.

I think we have demonstrated that the fail-safe alternative can be designed
in a secure manner.


/Stefan



On 09-11-30 6:07 PM, "Nicolas Williams" <Nicolas.Williams@sun.com> wrote:

> On Fri, Nov 27, 2009 at 11:26:34PM +0100, Pasi.Eronen@nokia.com wrote:
>> <wearing Area Director hat>
>> 
>> I have asked the secretariat to start IETF Last Call for
>> draft-rescorla-tls-renegotiation-01.
>> 
>> I've gone through the list archives for the past month, and it seems a
>> large majority of the WG members support the overall approach in this
>> draft (with a small, but very vocal, minority preferring a totally
>> extension-less approach to signalling).
> 
> I don't think that's a fair nor complete characterization of the current
> differences of opinion.  A more complete and correct characterization
> might be:
> 
>  - The RI proposal has a fail-unsafe requirement that peers check the
>    contents of the extensions sent.
> 
>    NOTE: A fix for this wouldn't require an extension-less signalling
>          solution.
> 
>    [IMO: This is serious objection that goes beyond protocol design
>          aesthetics or ease of retrofitting for SSLv3.  I think we can
> live without a fix for this problem, but I'd much rather have a
> fail-safe solution.]
> 
>  - There seems to be a desire, among some, for a signalling solution
>    that is somehow easier to retrofit for SSLv3 implementations.  This
>    couldn't be an extension-less scheme, since some bits are needed to
>    signal the use of the fix in the client's initial hello, but it might
>    avoid the use of server hello extensions.
> 
>    [IMO: This is a concern that we can safely ignore.]
> 
> Nico

v2.23.0 | Report a Bug | By Email