Re: [TLS] Proposal for hybrid solution using most of the ideas

To: tls at ietf.org
Subject: Re: [TLS] Proposal for hybrid solution using most of the ideas
From: Michael D'Errico <mike-list at pobox.com>
Date: Thu, 19 Nov 2009 12:59:05 -0800
Delivered-to: tls at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=B/kMupKtJApa W014PiC3nQUrohc=; b=B7bXjpZ8BItO4z6wn05jY8diKTPuX6lZtmqv089xSG+U +KkoIYQGQcrWY8ynUuAlupKmjiCQLNmtlQfPXvPTN/kZ3F866QZBFpp2aLWe7C5e nNLw4p+IS1tLbfAhiCiPIMf2/sj4UeCxh4IMwI4a8VhIUDfowCLYT9+u64kl/Zo=
Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=aVitHq 202aPPXzGkpPftsA+MioCpfudfrnLxIGypyg440CdWO4i4U7/UJ2GwS0PPA4vRRw rUoVKPZDGUbOefWfQjHytuyrpIfVkeVIDP5xd1e1D+fVX+eNqP33PWOy0RRr8DML 0X9AwIPGhfkY7FR1JxVPj6hNUZQDbczLcjlf8=
In-reply-to: <4B05AA7C.2000805 at jacaranda.org>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <C72A33ED.25989%dispensa at phonefactor.com> <4B05AA7C.2000805 at jacaranda.org>
User-agent: Thunderbird 2.0.0.23 (Macintosh/20090812)

David-Sarah Hopwood wrote:


No. Servers have to be TLS-tolerant (which later SSLv3 drafts already
required) and to handle one extension; not to support TLS.


When I send extensions, I send server_name, signature_algorithms, and
possibly others.  Saying that a server only has to support one extension
is going to cause trouble.

There's nothing particularly difficult about adding support for one
extension to an SSLv3 server. The extensions spec does not make any
assumptions that hold only for TLS and not SSLv3.


There are likely ZERO SSLv3 servers that support extensions, so you're
asking them all to implement them.  That is unreasonable when an
alternative exists that doesn't require extensions.

Mike

References:
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: Steve Dispensa
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: David-Sarah Hopwood

Prev by Date: Re: [TLS] simplistic renego protection
Next by Date: Re: [TLS] Need for S->C signaling
Previous by thread: Re: [TLS] Proposal for hybrid solution using most of the ideas
Next by thread: Re: [TLS] Proposal for hybrid solution using most of the ideas
Index(es):
- Date
- Thread

Re: [TLS] Proposal for hybrid solution using most of the ideas

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.