Re: [TLS] simplistic renego protection

To: "tls >> \"tls at ietf.org\"" <tls at ietf.org>
Subject: Re: [TLS] simplistic renego protection
From: Marsh Ray <marsh at extendedsubset.com>
Date: Thu, 19 Nov 2009 13:19:42 -0600
Delivered-to: tls at core3.amsl.com
In-reply-to: <4B059716.6010309 at jacaranda.org>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Openpgp: id=1E36DBF2
References: <200911182000.nAIK0Qkm013905 at fs4113.wdf.sap.corp> <4B04A792.7040607 at jacaranda.org> <B197003731D4874CA41DE7B446BBA3E829CD28F1 at TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com> <4B059716.6010309 at jacaranda.org>
User-agent: Thunderbird 2.0.0.23 (Windows/20090812)

David-Sarah Hopwood wrote:
>
> If lenient servers are allowed, then I think it will take *much* longer
> until the vulnerability is eliminated from most connections.

If lenient servers are not allowed, a server admin cannot patch his
server until all clients have patched. The world will have long given up
on renegotiation by then and just patched to disable it entirely.

If lenient servers are allowed, the servers can patch right away and
immediately begin protecting connections made with patched clients.

This group has to quit thinking it can dictate limits on functionality
in order to compel the consumers of the technology to do things your
way. The world isn't exactly leaping at the chance to upgrade to each
new TLS RFC you know. Trying to do that on a security fix is going to
leave a particularly bad taste in people's mouths.

- Marsh

References:
- Re: [TLS] simplistic renego protection
  - From: Martin Rex
- Re: [TLS] simplistic renego protection
  - From: David-Sarah Hopwood
- Re: [TLS] simplistic renego protection
  - From: David-Sarah Hopwood

Prev by Date: [TLS] The Hardware Angle
Next by Date: Re: [TLS] simplistic renego protection
Previous by thread: Re: [TLS] simplistic renego protection
Next by thread: Re: [TLS] simplistic renego protection
Index(es):
- Date
- Thread

Re: [TLS] simplistic renego protection

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.