Re: [TLS] drop obsolete SSL 2 backwards compatibility from TLS 1.3 draft
Brian Smith <brian@briansmith.org> Tue, 23 December 2014 21:51 UTC
Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 317EE1A1B49 for <tls@ietfa.amsl.com>; Tue, 23 Dec 2014 13:51:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NPE3nezsnNpA for <tls@ietfa.amsl.com>; Tue, 23 Dec 2014 13:51:43 -0800 (PST)
Received: from mail-ob0-f169.google.com (mail-ob0-f169.google.com [209.85.214.169]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3AED91A86E7 for <tls@ietf.org>; Tue, 23 Dec 2014 13:51:41 -0800 (PST)
Received: by mail-ob0-f169.google.com with SMTP id vb8so27165238obc.0 for <tls@ietf.org>; Tue, 23 Dec 2014 13:51:40 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=gquazLuEFFHjJHiZ6B+XMNQ6kFDag2pc7mt9HkALD3A=; b=aNCHQLw3+rJdMrTpWn6TfydzmCN6NpmftSfKGDog/tFbtXsyuqyHF6Rzl+GORMoMsA gLp7aMdImiczrcsjmKGeo1KdexEjmvV0KJx+874yzV8Im3z5XVDNCo5GlRFGTK0YH5pA QAH5FOs3Bi40ONuxgGELoZ0vkJb22l12Dh4z7Bpesng1PQm/n3V+wwq6SN1R+2kN9gS1 RRLVz5+MsK7XeMngMXzXc61iisIa8qEeChPtRkCj21iG4Qw+xMFqPdIIL47+4/DR1nHr gqyygId3nP27kGRA9f3/3QkWK6z+h11b5NV9RN+aqsffWKB4VfDpaXCU35WY5lmoKAQp /iNw==
X-Gm-Message-State: ALoCoQksD0QVp3TPOMmg8Mbf8vgFNwWmwk87vm8+kgdgGlW4fQ492WXr1YW1skNiDeiE20Ep9IT7
MIME-Version: 1.0
X-Received: by 10.60.124.69 with SMTP id mg5mr17937976oeb.73.1419371500737; Tue, 23 Dec 2014 13:51:40 -0800 (PST)
Received: by 10.76.71.228 with HTTP; Tue, 23 Dec 2014 13:51:40 -0800 (PST)
In-Reply-To: <201412221945.35644.davemgarrett@gmail.com>
References: <201412221945.35644.davemgarrett@gmail.com>
Date: Tue, 23 Dec 2014 13:51:40 -0800
Message-ID: <CAFewVt4OUkh5KhemR19dok0-dJ2eH3O71xQQ96QZTeLaE1dicg@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Dave Garrett <davemgarrett@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/uhEz35tk-72mZR66weg_Bs7rOVk
Cc: "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>
Subject: Re: [TLS] drop obsolete SSL 2 backwards compatibility from TLS 1.3 draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Dec 2014 21:51:45 -0000
Dave Garrett <davemgarrett@gmail.com> wrote: > The PR replaces the section with a simple "MUST NOT" send or accept for TLS 1.3 > implementations. It would be best to have your change do exactly that, by shortening the remaining text to: Implementations MUST NOT send or accept an SSL version 2.0 compatible CLIENT-HELLO. Implementations MUST NOT send or accept TLS records with a version less than { 3, 0 }. Note the suggestion to use the term "records" instead of "messages". I think further changes can be made to tighten up the text regarding allowed record versions, but those changes are more open for debate. For example, we might say that the ClientHello's record version MUST be { 3, 1 } and that the version field in all other records MUST equal the negotiated version. But, again, this can be done on top of your changes. Cheers, Brian
- [TLS] drop obsolete SSL 2 backwards compatibility… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Brian Smith
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yoav Nir
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yuhong Bao
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yoav Nir
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- [TLS] explicitly specify ClientHello record versi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Kurt Roeckx
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Jeffrey Walton
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Kurt Roeckx
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Hauke Mehrtens
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yoav Nir
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Fabrice
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Brian Smith
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Brian Smith
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Brian Smith
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Kurt Roeckx
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Hauke Mehrtens
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Kurt Roeckx
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Salz, Rich
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Watson Ladd
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Martin Rex
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Martin Thomson
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Martin Rex
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Peter Gutmann
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Brian Smith
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Martin Rex
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Salz, Rich
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yuhong Bao
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Florian Weimer
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Florian Weimer
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Daniel Kahn Gillmor
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yuhong Bao
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Andrei Popov
- [TLS] Downgrade Dance steps (Re: drop obsolete SS… Martin Rex
- Re: [TLS] Downgrade Dance steps (Re: drop obsolet… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yuhong Bao
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Martin Rex
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yuhong Bao