IETF Logo Mail Archive

[TLS] Re: Mike Bishop's No Objection on draft-ietf-tls-rfc8446bis-12: (with COMMENT)

Mike Bishop <mbishop@evequefou.be> Mon, 02 June 2025 14:40 UTC

Return-Path: <mbishop@evequefou.be>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 99EC92FBA517; Mon, 2 Jun 2025 07:40:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=evequefou.onmicrosoft.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e6yPfSKSr7S2; Mon, 2 Jun 2025 07:40:18 -0700 (PDT)
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2121.outbound.protection.outlook.com [40.107.244.121]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 9BE192FBA4F3; Mon, 2 Jun 2025 07:40:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=RzIBEHFsZpQXDxrA+TSxtTdRHk+PvGJK1LQQm3Q6Y1Z2oeUXIWfDrh+QzQGSA2VPFdpLfG6ttgzsQToBUtJblAF6Ay5FT1w0R2cyRZO5UsDLsBH0lIrclllbk3FfOQTOGUMxdqgB4J7OvukFu0Pc3ce5OZ7x2a8L/BQjAfaepziI8VTDS521GbchHssOzQDyxf3ARCQ97+6J3KA/gRC+uvFmhRqc6aOAYRIouNQ987BuKAN5zwfnV/YrIzEuTOUxlfFCTpHzgks11l8EHVJ2kUEGJ1Y2NSkWuvYWFmOIapYM8LRJFzZmNpbKxcBsKZSLwlf3WftdfkISYKoi9f68hA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=86VVMIzkPZsEmwnR0JacSAJkze9gPFjEY6j96ss0mOI=; b=N06sV9oORDhXMemMDZzD2KCz/2msPaeRiwkby5U5cXcd3Zd4JsMSB90r1l0LE2S8v5rohuWhvkeinKENN/cmaUVoQMEuOVniJ0Y5B5cdJlYHfk+MHpsNm827sNHJ3ysvHUCtmFsrzQsA0OoOPVYhrp8c+oJXU8vjsgkF5WyyPw1mF3DB8ahBsiIj4aR50h9cxMWikDVl7HqzkJs8SBwBQWCu1ha/OC6yHhCgYoY3U8k7I0z4QZuRQ7DDMjBcNUe5LglYzqZ6z9f/ablOqVwUHJDxEz1HWaDzG0EuYzzyu3rkyYKHoflhhIo/rnh/HqUGLbOWZLvr7dcTy4i8sT9MiQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=evequefou.be; dmarc=pass action=none header.from=evequefou.be; dkim=pass header.d=evequefou.be; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=evequefou.onmicrosoft.com; s=selector2-evequefou-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=86VVMIzkPZsEmwnR0JacSAJkze9gPFjEY6j96ss0mOI=; b=Sx0C0T4VdttwZbdMraQB5jPr0uGFWw/8cyHzbTQKPIn4uLA+634BfbvIE3b583q6GWxeoh223nnTm033AhwfsyB+b2rOAEP4EGvh5I9x4zSP7bta/xq2ijJy4YedTu8iWQ737g/A/lLVR3ZNH+RUuN3yDAYus5L3nZevL9VTbNU=
Received: from IA0PPF726CD7A1F.namprd22.prod.outlook.com (2603:10b6:20f:fc04::d2b) by IA3PR22MB5933.namprd22.prod.outlook.com (2603:10b6:208:525::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8792.34; Mon, 2 Jun 2025 14:40:12 +0000
Received: from IA0PPF726CD7A1F.namprd22.prod.outlook.com ([fe80::c552:f531:59c0:7988]) by IA0PPF726CD7A1F.namprd22.prod.outlook.com ([fe80::c552:f531:59c0:7988%5]) with mapi id 15.20.8746.035; Mon, 2 Jun 2025 14:40:12 +0000
From: Mike Bishop <mbishop@evequefou.be>
To: Eric Rescorla <ekr@rtfm.com>
Thread-Topic: Mike Bishop's No Objection on draft-ietf-tls-rfc8446bis-12: (with COMMENT)
Thread-Index: AQHbyNeXQcI/fW79ukCKh/9IQUhPtrPrU8uAgASySUk=
Date: Mon, 02 Jun 2025 14:40:12 +0000
Message-ID: <IA0PPF726CD7A1FFEE479A7255771147F2ADA62A@IA0PPF726CD7A1F.namprd22.prod.outlook.com>
References: <174767061547.310160.15957128808257142354@dt-datatracker-59b84fc74f-84jsl> <CABcZeBOL=4bYocGd_agfCQ0kiYTOYH=Wbbsc2ZoE3SZs52waqw@mail.gmail.com>
In-Reply-To: <CABcZeBOL=4bYocGd_agfCQ0kiYTOYH=Wbbsc2ZoE3SZs52waqw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=evequefou.be;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: IA0PPF726CD7A1F:EE_|IA3PR22MB5933:EE_
x-ms-office365-filtering-correlation-id: c02dd615-ff83-4a57-4981-08dda1e361c9
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|376014|10070799003|1800799024|7053199007|13003099007|8096899003|38070700018;
x-microsoft-antispam-message-info: 13Fq8KczqGYMzo8lX1CPDk10ZoM1znD2IFbtgD6E4XIRDQoX1NOSnTpuZoLGyfdoHPuOXKwgc5/eCxAFZAKeSH5UovEPv4HWdW7I1t/SkuQ80oJexpAUOCEC91FiCYIX2lTIr7CeFnvyvOddRw4DblgUk3jPYsePRnPLFRNbFa+JXlabgKoFugyYIrEhEw5ExJL5g/HNPKqO/Xu2DWs5GwLTnXWba7rWMQFjp6FNe+p4GXxSSBVLawhMhzZyi4uW+3JmUYfyy55215IiKXlbkylQOJyZaID05SpR3Z6NmRTnnKJjwxBLEnqmVQQf2eZ73VYbR8dn5kiJqBvBg2X/9C28F5jFb14wtxXALDnZeaDgwt4wQRRLSzvjSwUFR/5cQOmM7kqSD9DF/lBPHYcNqYtjyWsCeQHI8LOqCZolN1aOY+HwSbssk7hF9NNsr++Jr0QG0WpZuVznlECGHuMEK9qsRcA8iTXdTp8SciAnO+UU79z8+e/AV5kreyrFdKWyNJZBsK3m4a4HkwYP1yXrnlMSN2MmiHajjhL/7rcMawdNMcJfoayXePPndMZnoZx3TbD3X4fB6b4ChG8QRGGTvNlF5m3ac6gF01KQ3V0P/MWESoUw/eX9T0qlsmxEJagy0CrZ/M3n0DdSt9Ajdml9gLogjg4GafqNaZzy//066f3DFRVr4b5cih+UjpKOTFPugoU4JPGlkzSot7GZ7qwdYK3JQ1Vp5e/6dE4iGgSwCmE777GQBI+MJgplfQ5/6CSsOukva6AR/wAX83QvQmre7nzSGb0JEFk1nVV5IQvyq0k6wu+tJGls6kZwRYUqj+KcvFOxjGdUs6XoyrF8j5twMwPvOkFKB4ESImc5a7TX2wFFnKehRmzVjfw7v62C6dx2bW3VdmZC+7pHnZzc5CYXUPqsu6HVLQXwn0VXqHd6v7vfFDnniaOndPVeL60br4JKfBtYCP5Dd7qfvpe3ZH0GxhjW1CQ9EQ+rM6NlGafNbmEphEKMRc4csVHNl6oJMzFZMn5g9ub/ivWkj+heWVPuEs2VOqcFvTeTXGK8x0LLoPSM8EBhQ++1N0s6kd0tao/LvOG1COCwhJ3ypky6mVmptdV/RFNZT2QbMOK8KTQPFHFKwe/2Y8IlRRxc6akPFSx4osfBSSFTrev9ZH3IPrJ6HZNHXKZ+ZqN0GsDboBCvFVocQkQ+r5WroYQG4F1UeFu9mplZSL5yTBDi/dSgfWP/24raRkPk92ScQezJSEokJnQZ3Jy49kVLzOGIqTRdZx/5/5aOzQG6wZtQwQfrpAE6hGbakDm2T52VHEsNiSndgQLuIP13Cp2LLmyAipwHoyDrTh1XUyjtC6CB33nM3AzBGM6pC6Br7NFnQGFt8vWBCehius6qmQYTVZziVPszq1xxZosGS+7eineLE2CMARxmw0GxrcrsYyaSiLbCVHTcPpU=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:IA0PPF726CD7A1F.namprd22.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(10070799003)(1800799024)(7053199007)(13003099007)(8096899003)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: bprBTnL5+e5EQHe8U51DF+qu3Vdx3LJ4m0R0Pfdszp83XkxTw48ly3N+c0B1Mr3wy5zXlgGmZvUYI/lZ+e+sg4omD/RxZwdhd+H2+XJb/aseTkVWE+z/KmBersxdKDNOpZucP8tCmbtcXiYJothLQZlT7LIjaWD/RZ6y9qGkY0oJtaqoUDmHqH8/eYJUqT5WbhV+5QInF6SVlrk6q8oukwuVOucEHbCZNB3mzI9yB7XEjspViG6QBxtEaq5uz/qaCQ3ctKcj7tQMb9DsdVjFSL6+uypK4uijmwLLMty7VnlOmSMQStc6Cv89m+79LIrFS49jmta6EHttmfxx4+9j/OjTFAdDMMrmLN5k6eTTae3P1Oj3OlYzZwtTVWMmn7Fg5qcC0gzDiZYZ4gmfVpk6rLbXTo8LgrpxmhkOGAlaMWYoVIUhJ6qUl5L7jFndQXe74/wb3loT7yxz3ZMxVgcqY7hSifPVd6okL3qnC5aYw+kfdFJJnjzOBWX2OTc12lUHh1tTt51AkqPGttaIv4SsFMoUtWmpdUSfXm6/+qiAHx53+v3PP5s/wipTAB1Pa0aOOJUV2XwF7+veYq6VRcXvy1PpwkDZd82YyvFCq9makn9izdquyC98DZiidYpqRT2u6gU6HvDYOYxQINdnJEB5imr9pEB10g8s0LlnVasDcJJq0ym9T1ZwEvVoJHUQdRJu1i+yFvCnS3G9WA4mOtPrSN+tWzY2pDCyOT2Us/rNAf8D/f5SHyzYxEpAyIvCfOcIa90u2ir1Dg6D+taz/GhY56R1ydVWnpc0eCnXqO6mxhkWrVvA2c/jSDjCDX9pAm6arbO+FY7jbpc1n3djRa5Vzr39EnNs7YAeG8AF+VtPZGXOMIJZuM/jmghi31S50O0tgKUDAdZDitCHXuY881yHbRJeYNBDKUOQF87ay+6F8v2qG7qL4gVpyhS4o+v4NIzfWndlqiKGSyK8e6mHqkDmflRts8qUQ74dWIciRDujXxwQwQo13y4LQQY9/ss5e6WBXkhZY5nWLgFrGn0G/UZ8I3rlMqdwZqIu396sCEg0QzSplz08Wp2D50PLyjjfgN+KFqbrWIh78GIepfsdu5uXpGyo0cyf63nKtbaQvMsVuTRNvU9LbkHh0YOtNKdU0Ys+cmL0F84Ysnw3NemQ9//3s13qZrcacP6LQvgUwjn/h51bS7Qvc2N5GMeH8bqFB+KZfGeWhBgW/zwSgFhFkhdNNC4cFvwZELM7+H9NqERZjzTXw7b4IhaT6WwHujqbt+fj+TAnNvW6sxQZdBkA9E2NdAzUqcgzIY9iY2KUgNjC4l0rQF6fTWBUBClOqoFeaEqdDANLn5S2JoEg9WyxBLiv4JXEHnl8QGp9BJpp2cuW9jt/BZdow7n68qNjig1tQYVCmVykULqQriD0y18rPyuZdxkMcdryic7VZlwuOOm0U1jwyYEvpdV6H4XQciJbeT/LH4Hwt9QCoykoS6Yc6LSm3x7z99TtRwakv7mwJkLmU5JGaFT2olxbn/sJq0exVOcUBbsnfjxU0PzrZEiMKL3Qdj2lWBmifS+2RMGlqW5rcXiyP3rC+YBlfXyvthO90923OjIdvMKx30cAcVbQLeYB8sMBXUddOMBOzuag5V524NXcCO3q6NoyFnNidz99shcI
Content-Type: multipart/alternative; boundary="_000_IA0PPF726CD7A1FFEE479A7255771147F2ADA62AIA0PPF726CD7A1F_"
MIME-Version: 1.0
X-OriginatorOrg: evequefou.be
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: IA0PPF726CD7A1F.namprd22.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c02dd615-ff83-4a57-4981-08dda1e361c9
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jun 2025 14:40:12.6296 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 41eaf50b-882d-47eb-8c4c-0b5b76a9da8f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 5sANdqhCf2I93TP12iZ8rc7YilDatXczkb2vlFj5Ud04kXUoAk9LmyOepqzefXYSMncRPjdZS4wg3REgDkq6Eg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA3PR22MB5933
Message-ID-Hash: 3C57SL65BO4W5WNTNZ266L5QMA3WAVMF
X-Message-ID-Hash: 3C57SL65BO4W5WNTNZ266L5QMA3WAVMF
X-MailFrom: mbishop@evequefou.be
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: The IESG <iesg@ietf.org>, "draft-ietf-tls-rfc8446bis@ietf.org" <draft-ietf-tls-rfc8446bis@ietf.org>, "tls-chairs@ietf.org" <tls-chairs@ietf.org>, "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Mike Bishop's No Objection on draft-ietf-tls-rfc8446bis-12: (with COMMENT)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/wj7Wl_qVZmJslHMtV8W1OTIFr0o>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Sorry, I should have quoted it. It's https://tlswg.org/tls13-spec/draft-ietf-tls-rfc8446bis.html#section-4.1.3-11 in the editor's copy:

[RFC8996<https://tlswg.org/tls13-spec/draft-ietf-tls-rfc8446bis.html#RFC8996>] and Appendix E.5<https://tlswg.org/tls13-spec/draft-ietf-tls-rfc8446bis.html#backward-compatibility-security> forbid the negotiation of TLS versions below 1.2. However, server implementations which do not follow that guidance MUST set the last 8 bytes of their ServerHello.random value to the bytes:

  44 4F 57 4E 47 52 44 00

Appendix E.5 states that versions below 1.2 "MUST NOT be negotiated for any reason," yet this text then has a MUST-level requirement applying exclusively to server implementations which ignore the MUST NOT.
________________________________
From: Eric Rescorla <ekr@rtfm.com>
Sent: Friday, May 30, 2025 10:54 AM
To: Mike Bishop <mbishop@evequefou.be>
Cc: The IESG <iesg@ietf.org>; draft-ietf-tls-rfc8446bis@ietf.org <draft-ietf-tls-rfc8446bis@ietf.org>; tls-chairs@ietf.org <tls-chairs@ietf.org>; tls@ietf.org <tls@ietf.org>; sean@sn3rd.com <sean@sn3rd.com>
Subject: Re: Mike Bishop's No Objection on draft-ietf-tls-rfc8446bis-12: (with COMMENT)

Thank you for comments. I have made a PR to address most of these comments:

https://github.com/tlswg/tls13-spec/pull/1385

I am a bit unsure about one comment. Can you point to the offending text for the
comment below:


The language around the SCSV for pre-1.2 values feels odd. You MUST NOT
negotiate older versions, but if you do anyway, you MUST do it this way? I
would shift this to a description of how clients and servers were required to
behave prior to this revision of 1.3 at most.

v2.35.0 | Report a Bug | By Email | System Status