Re: [TLS] padding bug

Peter Gutmann <> Fri, 20 September 2013 13:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8D21021F995B for <>; Fri, 20 Sep 2013 06:29:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.57
X-Spam-Status: No, score=-2.57 tagged_above=-999 required=5 tests=[AWL=0.029, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bBNsKBpNUmIv for <>; Fri, 20 Sep 2013 06:29:38 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 002B521F9767 for <>; Fri, 20 Sep 2013 06:29:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=uoa; t=1379683778; x=1411219778; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=rlackX4M0VS47GrRl4HKRW0Y3tM+Vo0ftulKnEkNl9M=; b=i3t+I93CZAuFbmCuPfGzrlEhlLBRAYkoc05J/jAak737AKMpFgIQP8Sq 2kSKvDvo5EKYkLmQgrvLtbxJyS3G8gL9NdAa03YxYMtDUKVEQ8mYJIB24 jHaCdrm8Afz6eClo54B0yD6u3BEiu4Cgi/ibIgsg+P08YRV1Mgis5RcH/ s=;
X-IronPort-AV: E=Sophos;i="4.90,944,1371038400"; d="scan'208";a="213251377"
X-Ironport-Source: - Outgoing - Outgoing
Received: from ([]) by with ESMTP/TLS/AES128-SHA; 21 Sep 2013 01:29:35 +1200
Received: from ([]) by ([]) with mapi id 14.02.0318.004; Sat, 21 Sep 2013 01:29:35 +1200
From: Peter Gutmann <>
To: "" <>
Thread-Topic: [TLS] padding bug
Thread-Index: Ac62BXKJPwFODXUbTnCN6PSCJqCALg==
Date: Fri, 20 Sep 2013 13:29:35 +0000
Message-ID: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [TLS] padding bug
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 20 Sep 2013 13:29:43 -0000

Eric Rescorla <> writes:

>Of course, this naturally raises the question of whether this document will
>be accepted by the TLS WG.

It seems to be accepted by everyone except the WG chairs, who point to:

>However, as I think recent discussion indicates, there are a number of
>proposed approaches and there isn't really consensus to adopt this particular

Can you provide concrete examples of this lack of consensus?  It's already
present in deployed implementations (as I mentioned a while back, the response
of one SSL library developer was "this should have been done ten years ago").
So lets reverse this, if the WG chairs think that there are viable alternative
approaches could they please point to *currently active RFC drafts* (not an
expired six-month-old text but a current draft) with authors willing to
actively champion their approaches on the list?

If this isn't possible, can we just go ahead and adopt it?  This is a decade-
old problem with a fairly trivial fix, and yet the NSA doesn't even need to
resort to BULLRUN-style subversion if the WG chairs are determined to block
its adoption.