IETF Logo Mail Archive

Re: [TLS] COMMENT: draft-ietf-tls-renegotiation

Martin Rex <mrex@sap.com> Wed, 16 December 2009 03:37 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 590F83A68A2; Tue, 15 Dec 2009 19:37:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.194
X-Spam-Level:
X-Spam-Status: No, score=-6.194 tagged_above=-999 required=5 tests=[AWL=0.055, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jl0BwMXOrT4C; Tue, 15 Dec 2009 19:37:47 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id 43D023A68A0; Tue, 15 Dec 2009 19:37:47 -0800 (PST)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id nBG3bSSo009472 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 16 Dec 2009 04:37:28 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200912160337.nBG3bRSM014247@fs4113.wdf.sap.corp>
To: mrex@sap.com
Date: Wed, 16 Dec 2009 04:37:27 +0100
In-Reply-To: <200912160057.nBG0vvZw004261@fs4113.wdf.sap.corp> from "Martin Rex" at Dec 16, 9 01:57:57 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: canetti@tau.ac.il, iesg@ietf.org, tls@ietf.org
Subject: Re: [TLS] COMMENT: draft-ietf-tls-renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2009 03:37:48 -0000

Martin Rex wrote:
> 
> To me, the effectively usable protocol version negotiation in TLS
> (as inherited from SSLv3) for the installed base is a mess.
> If they had used a set (like its done with the cipher_suites and
> compression_methods), then the nursing problems would probably
> be gone by now.  Another drawback from the exitisting version
> negotiation is that implementations de-facto have to implement
> all protocol versions, and given budget constraints of todays
> world, TLSv1.0 is likely the protocol with the highest
> return-of-investment.

Actually, that is likely incorrect
SSLv3 is probably still the protocol with the higest return-of-investment.

Up to this day, SSLv3 is the _only_ protocol version that will
provide almost universal interoperability.

There are several hundred million SSL clients out there, which,
although capable of extension-less TLSv1.0, have this disabled.

That platform is known as Windows XP, and it was sold well into
2009 with brand new hardware of the Netbook type (160 GB disk, 1GB Ram),
and that was actually the fastest growing PC market segment.

But it isn't any different for Windows 2003 / Windows XP 64-bit,

>From the 5 PCs I use (2 at work, 3 at home), 4 are WindowsXPsp3
and one is WindowsXPpro 64-bit.

And I use the original MSIE for Online Banking with active
content (javascript) enabled, while I use Firefox with active
content disabled for web browsing.  My family still uses MSIE only.


Businesses simply can not afford to _not_ support SSLv3 today.
Maybe in a few years.  But not now.  

-Martin

v2.23.0 | Report a Bug | By Email