Re: [TLS] TLS Protocol Version

To: uri at ll.mit.edu (Blumenthal Uri - 0662 - MITLL)
Subject: Re: [TLS] TLS Protocol Version
From: Martin Rex <mrex at sap.com>
Date: Wed, 18 Nov 2009 23:49:32 +0100 (MET)
Cc: tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <90E934FC4BBC1946B3C27E673B4DB0E4A7ECACE3E6 at LLE2K7-BE01.mitll.ad.local> from "Blumenthal, Uri - 0662 - MITLL" at Nov 18, 9 04:57:52 pm
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Reply-to: mrex at sap.com

Blumenthal, Uri - 0662 - MITLL wrote:
> 
> Is it the only viable solution???

I am open to suggestions and improvements.

It is the best one that _I_ have found in the SSLv3/TLSv1.0
ServerHello PDU (there are not that much elements to choose from).

Since this signal is security relevant, *I* strongly prefer
that old servers are extremely unlikely to create this value by accident.

> 
> I am concerned of "overloading" fields and assigning an additional
> meaning to them that they did not have. Not a clean design or
> programming practice, and prone to causing people or code used
> to the "old" meaning to stumble.

In principle, I tend to agree.

However, we are actually changing several past revisions of a protocol
in a significant and purposely non-interoperable fashion -- because
that interoperability turned out to be a security problem.

I will try to provide sufficiently clear guidance to implementors
what this particular change means -- and only code which implements
the fix will ever be confronted with this changed semantics that
should _only_ be visible in the network transfer encoding.

It is really just method to compress an extra bit of information
representing a protocal change orthogonal to existing protocol
versions into the network transfer encoding of the
server_version element in the ServerHello PDU.

-Martin

References:
- Re: [TLS] TLS Protocol Version
  - From: Blumenthal, Uri - 0662 - MITLL

Prev by Date: Re: [TLS] TLS Protocol Version
Next by Date: Re: [TLS] TLS Protocol Version
Previous by thread: Re: [TLS] TLS Protocol Version
Next by thread: Re: [TLS] TLS Protocol Version
Index(es):
- Date
- Thread

Re: [TLS] TLS Protocol Version

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.