IETF Logo Mail Archive

Re: [TLS] COMMENT: draft-ietf-tls-renegotiation

Peter Saint-Andre <stpeter@stpeter.im> Tue, 15 December 2009 17:24 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AE1F73A688F; Tue, 15 Dec 2009 09:24:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.566
X-Spam-Level:
X-Spam-Status: No, score=-2.566 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nvs+5E1BtXI1; Tue, 15 Dec 2009 09:24:38 -0800 (PST)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 6FFC33A67A3; Tue, 15 Dec 2009 09:24:38 -0800 (PST)
Received: from dhcp-64-101-72-234.cisco.com (dhcp-64-101-72-234.cisco.com [64.101.72.234]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 9E5CE40472; Tue, 15 Dec 2009 10:24:24 -0700 (MST)
Message-ID: <4B27C647.2060008@stpeter.im>
Date: Tue, 15 Dec 2009 10:24:23 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: Marsh Ray <marsh@extendedsubset.com>
References: <20091214191959.427A53A6A27@core3.amsl.com> <4B269153.9070701@tau.ac.il> <4B27B9DF.1020300@extendedsubset.com>
In-Reply-To: <4B27B9DF.1020300@extendedsubset.com>
X-Enigmail-Version: 0.96.0
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="------------ms090705070306080600020505"
Cc: Ran Canetti <canetti@tau.ac.il>, iesg@ietf.org, tls@ietf.org
Subject: Re: [TLS] COMMENT: draft-ietf-tls-renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Dec 2009 17:24:39 -0000

On 12/15/09 9:31 AM, Marsh Ray wrote:
> Ran Canetti wrote:
>> Indeed.
>>
>> Or, at least, a strong case should be made why renegotiation (within the
>> same session, from the point of view of the application) is an important
>> feature to preserve.
> 
> A large number of systems are currently using it. We don't know exactly,
> but this might give you an idea:
> 
> http://www.google.com/search?q=microsoft+iis+client+certificate
> 
> Do they really need it? Probably some do, some don't. Some installations
> could rearrange their sites to not need it, and some have more IIS web
> servers than they could begin to count.
> 
> Why should we keep renegotiation?
> 
> Because any spec which "drops" it is just going to be ignored, with the
> side effect of the industry dropping the IETF rather than the IETF
> dropping renegotiation.

Given that the TLS WG list is full of discussion about remaining
backward-compatible with SSLv3, it's not clear if the industry is paying
attention to the IETF anyway.

> Removing support for (i.e., not fixing) a fundamental and widely-used
> protocol feature like renegotiation is not an option.

I think the question Russ raised is: just how fundamental is TLS
renegotiation? And the answer so far seems to be: some deployments seem
to use it, but it might not be fundamental.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

v2.23.0 | Report a Bug | By Email