Re: [TLS] draft-rescorla-tls-renegotiate.txt

To: Martin Rex <mrex at sap.com>
Subject: Re: [TLS] draft-rescorla-tls-renegotiate.txt
From: Nicolas Williams <Nicolas.Williams at sun.com>
Date: Fri, 6 Nov 2009 17:59:38 -0600
Cc: Nasko Oskov <noskov at microsoft.com>, tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <200911062353.nA6NrkWu014870 at fs4113.wdf.sap.corp>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <B197003731D4874CA41DE7B446BBA3E829CA5315 at TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com> <200911062353.nA6NrkWu014870 at fs4113.wdf.sap.corp>
User-agent: Mutt/1.5.7i

On Sat, Nov 07, 2009 at 12:53:46AM +0100, Martin Rex wrote:
> Nicolas Williams wrote:
> > Stop using SSLv3.  Its end has arrived.
> 
> I was actually looking for an answer from engineering,
> not for one from sales.  :-|

:/

Right, the real choice is: stop using re-negotiation without the fix
and/or stop using TLS without the fix (which means stop using SSLv3).

The first choice leaves clients without the fix vulnerable when they
talk to servers that don't have the fix and do accept re-negotiation.
That's pretty bad (surely many servers won't get the short-term fix).

The second choice renders a large portion of the installed base
non-interoperable.  That's... much worse.

I don't know how addicted we are to re-negotiation and SSLv3, so I can't
tell you which choice should win in the short-term, but then, I think
turning off re-negotiation may well prove easier than we may have
thought (see my reply to Marsh just now).  In the longer term though, we
should deploy the fix and SSLv3 clients should go away.

Nico
--

References:
- Re: [TLS] draft-rescorla-tls-renegotiate.txt
  - From: Martin Rex

Prev by Date: [TLS] Simple way to drop re-negotiation in HTTP (Re: draft-rescorla-tls-renegotiate.txt)
Next by Date: Re: [TLS] draft-rescorla-tls-renegotiate.txt
Previous by thread: Re: [TLS] draft-rescorla-tls-renegotiate.txt
Next by thread: Re: [TLS] draft-rescorla-tls-renegotiate.txt
Index(es):
- Date
- Thread

Re: [TLS] draft-rescorla-tls-renegotiate.txt

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.