Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)

Bodo Moeller <bmoeller@acm.org> Fri, 29 November 2013 13:00 UTC

Return-Path: <SRS0=WqfS=VG=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C32A81AE029 for <tls@ietfa.amsl.com>; Fri, 29 Nov 2013 05:00:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.93
X-Spam-Level:
X-Spam-Status: No, score=-0.93 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6t3k4-3sxlwM for <tls@ietfa.amsl.com>; Fri, 29 Nov 2013 05:00:06 -0800 (PST)
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by ietfa.amsl.com (Postfix) with ESMTP id 08BDF1ADF7E for <tls@ietf.org>; Fri, 29 Nov 2013 05:00:05 -0800 (PST)
Received: from mail-ob0-f171.google.com (mail-ob0-f171.google.com [209.85.214.171]) by mrelayeu.kundenserver.de (node=mreu1) with ESMTP (Nemesis) id 0MHci0-1VlGgR1c68-003gFY; Fri, 29 Nov 2013 14:00:03 +0100
Received: by mail-ob0-f171.google.com with SMTP id wp18so9973166obc.2 for <tls@ietf.org>; Fri, 29 Nov 2013 05:00:02 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=zr3doMRNBrTLbyqINkmXziCgPvAlpsHxxyJZpq7Trfg=; b=YFvZvnWzcfkm6U5uCu/OXv2bkOiiqJ7a7famRM6mNvL9ObXkfHg+GBxNPm4kUPY1g2 CyFKfXDr96k/YF0LfkrKH3pKuHBhRnj0XXoj+PSgeustY4DkGB7JFcFg4Rf9SSSz0IZw AevdfECfwBeIQec7dhTK3wRatvuK2TNwM9xqlxUPcJ+knRYcGX+iObuZdou2RtE+M9wT vpmk4r+DN5fUpsuNmFfMCeLzwT6LLwbZcviv4jhbOqBYEe2P+KcfYOBAaoj8OHMHu60/ 4FvuDIjSeqIaaBrQxxLc6WHCRReOPYhvMkUrTR5mol3fHpmKRQsiMtb7OLdP8nQRwTny VtXQ==
MIME-Version: 1.0
X-Received: by 10.182.229.34 with SMTP id sn2mr967044obc.86.1385730002213; Fri, 29 Nov 2013 05:00:02 -0800 (PST)
Received: by 10.60.137.194 with HTTP; Fri, 29 Nov 2013 05:00:02 -0800 (PST)
In-Reply-To: <CACsn0ckAoQeo_rP0K4XONahzXp_kxLo8LxZMv8wjxr-dL+q_=A@mail.gmail.com>
References: <9A043F3CF02CD34C8E74AC1594475C7365420C29@uxcn10-6.UoA.auckland.ac.nz> <CABcZeBP77fwR8Rwv9me4PuGza7ec9cU-JbsMUOxHbpV0ULYOqA@mail.gmail.com> <CACsn0ckAoQeo_rP0K4XONahzXp_kxLo8LxZMv8wjxr-dL+q_=A@mail.gmail.com>
Date: Fri, 29 Nov 2013 14:00:02 +0100
Message-ID: <CADMpkc+jju32F+TwGQCY+jqFW0uZMZ6H68PB+Cw_x9ThuudJww@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary=001a1134975089610a04ec506801
X-Provags-ID: V02:K0:hhCIkfUW0/PqL4ClNXUvInWceCBoqTvShwtUIBWj+9D F/e/Z1mQLBUw04wY7LsLiUok0Q+Y+s1W1yG1gjPuWaj8Brdmvf HpFzIptvPIeGOQKBsesSP4UClSjKm/nYOh04WK9bQC5LRkpeh7 kuhwSjHx1MvWtamF5gcQsnR2CtEgpI/VeNHAbxVOkwZ0O+Ez0x xYnUwA1b2HU5bKn1crE8IHa87l+gCNw0eFFs+8po20sCIvJ7E+ KSTT6aaPVcGXLh9ECIfK6zrmDylo5X0AMuUSjaXKRJR+fMLnTV Tx3ZTwCYjT2xSAm5drkxMCLcPhiYSEV+Wbsxe3JZacxj0IYrlE Q286MFUyXUS5BhFxBaWQbkdKieLAV7qgfJxqMhS8qNRRz4mIxz K0ngD9b+mtfp9ihnD2gUhgk6MuSmT8tf9DOgi+a+hFmeR3ckmr +bahB
Subject: Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Nov 2013 13:01:01 -0000

> > This topic was discussed at the TLS WG meeting in Vancouver
> > (since you declined to attend, Joe Salowey provided a brief
> > description of the two options). Your proposed approach
> > had no support in the room. You can find the minutes here:
> >
> > http://tools.ietf.org/wg/tls/minutes?item=minutes-88-tls.html
>

That page looks broken (garbled UTF-8?).  Try
http://www.ietf.org/proceedings/88/minutes/minutes-88-tls for a more
legible version (PDF).


> So, while there has been some support on the list, I don't
> > believe that this supports the claim that there is rough
> > consensus for this draft.
>


> Where are the opponents on the list? Anyone can hum, but I would like
> to see them
> put their names and reasons down


Decisions at meetings can't silently override mailing list consensus, but I
think Eric felt that the meeting outcome merely reflected a lack of
consensus that he'd previously already got from the list -- see his
previous summary on this list here:

http://www.ietf.org/mail-archive/web/tls/current/msg10004.html

(That said, Nikos' complaint seems bogus to me.  Peter's proposal seems
fine from a security point of view -- as long as clients refuse to
unnecessarily roll back to SSL 3.0, e.g. using
draft-bmoeller-tls-downgrade-scsv-01 --, the question is just if it's worth
the extra complexity given the other options.)

Bodo