Re: [TLS] Accept draft-turner-ssl-must-not-02 as WG item
Marsh Ray <marsh@extendedsubset.com> Wed, 15 September 2010 06:57 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3418D3A6AB8 for <tls@core3.amsl.com>; Tue, 14 Sep 2010 23:57:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.582
X-Spam-Level:
X-Spam-Status: No, score=-0.582 tagged_above=-999 required=5 tests=[AWL=-1.082, BAYES_20=-0.74, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gx9zxBmVVNv3 for <tls@core3.amsl.com>; Tue, 14 Sep 2010 23:57:23 -0700 (PDT)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id 681D63A69A0 for <tls@ietf.org>; Tue, 14 Sep 2010 23:57:23 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1OvlwC-000KX6-Rc for tls@ietf.org; Wed, 15 Sep 2010 06:57:48 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id D464B6494 for <tls@ietf.org>; Wed, 15 Sep 2010 06:57:47 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1+nssiKhM3PiXguc6kBmpFhiReEabOOT50=
Message-ID: <4C906E6B.4030706@extendedsubset.com>
Date: Wed, 15 Sep 2010 01:57:47 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.12) Gecko/20100826 Thunderbird/3.0.7
MIME-Version: 1.0
To: tls@ietf.org
References: <E1Ovj4f-0007mZ-4a@wintermute02.cs.auckland.ac.nz>
In-Reply-To: <E1Ovj4f-0007mZ-4a@wintermute02.cs.auckland.ac.nz>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] Accept draft-turner-ssl-must-not-02 as WG item
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Sep 2010 06:57:29 -0000
On 09/14/2010 10:54 PM, Peter Gutmann wrote: > Martin Rex<mrex@sap.com> writes: > >> Personally I can not think of a reason to move away from what rfc-5246 >> appendix E.2 says. > > [...] Without a clear MUST > NOT for the server to finally get clients to switch off SSLv2 hellos, we're > never going to get rid of these things. I 100% agree on the goal of getting everyone exchanging the modern, extension-compatible Hellos. I also think that the "tough love" approach is sometimes needed to move these things forward, particularly where they diminish security. I'm thinking though that this document is kind of an unusual case. For example, if you're not compliant with RFC 791 (Internet Protocol), you can't exchange packets over the internet. If you don't implement RFC 793 (Transmission Control Protocol), you can't talk with most network services. Likewise, if you don't implement most of RFC 2246 (TLS 1.0) and some related standards, you won't be doing any shopping online. But if draft-turner-ssl-must-not-02 becomes RFC NNNN, that means... If you don't implement RFC NNNN, then you _can_ successfully continue to interoperate with some set of servers? With no inherent sacrifice of performance or security? Conversely, if you _do_ implement this future RFC NNNN, you must now cease interoperating with previously legitimate requests. So what is the expected consequence to a vendor for _not_ implementing this possible future RFC? It's not something that the vendor misses out on, like the big party going on over in TCP port 443. Certainly no prospective customer is going to push them for support of RFC NNNN. Why would any vendor implement this spec unless they were planning to follow its recommendations for their own set of reasons anyway? We've all vented to our co-workers (and spouses) at one time or another: "that goshdarn vendor will just never add support for RFC such-and-such even though it was standardized years ago, if only they took standards compliance more seriously!" Could it be that publishing a set of SHOULDs and MUSTs that are likely to be summarily disregarded has the potential to, um, erode the authority of the standards process a little bit? It's not like implementers had jumped to add support for all the optional extensions when they were first defined. Today only a tiny fraction of TCP port 443 servers implement TLS 1.1 or 1.2 (827 and 11 out of 607,249 respectively http://blog.ivanristic.com/Qualys_SSL_Labs-State_of_SSL_2010-v1.6.pdf). It's been said that the only way we will move old protocols forward is to find some killer security hole in the old version. It also seems to be ever more frequently repeated that "SSL is irreparably broken". But I'm not so cynical. (Sorry, it doesn't happen often. :-) Perhaps folks could be enthusiastic again about upgrading if they expected it to bring new and improved functionality which even served their short term self-interest a little. You know, like the old times. I could see that it might be helpful to give an engineer some official support for removing some attack surface that nobody's really using anyway. In this case, could that need be equally served by an informational RFC? - Marsh
- Re: [TLS] Accept draft-turner-ssl-must-not-02 as … Martin Rex
- [TLS] Accept draft-turner-ssl-must-not-02 as WG i… Eric Rescorla
- Re: [TLS] Accept draft-turner-ssl-must-not-02 as … Peter Gutmann
- Re: [TLS] Accept draft-turner-ssl-must-not-02 as … Paul Hoffman
- Re: [TLS] Accept draft-turner-ssl-must-not-02 as … Michael D'Errico
- Re: [TLS] Accept draft-turner-ssl-must-not-02 as … Sean Turner
- Re: [TLS] Accept draft-turner-ssl-must-not-02 as … Marsh Ray
- Re: [TLS] Accept draft-turner-ssl-must-not-02 as … Yoav Nir
- Re: [TLS] Accept draft-turner-ssl-must-not-02 as … Peter Saint-Andre
- Re: [TLS] Accept draft-turner-ssl-must-not-02 as … Martin Rex
- Re: [TLS] Accept draft-turner-ssl-must-not-02 as … Russ Housley
- Re: [TLS] Accept draft-turner-ssl-must-not-02 as … Martin Rex
- Re: [TLS] Accept draft-turner-ssl-must-not-02 as … Geoffrey Keating
- Re: [TLS] Accept draft-turner-ssl-must-not-02 as … Simon Josefsson
- Re: [TLS] Accept draft-turner-ssl-must-not-02 as … Sean Turner
- Re: [TLS] Accept draft-turner-ssl-must-not-02 as … Sean Turner
- Re: [TLS] Accept draft-turner-ssl-must-not-02 as … Martin Rex