Re: [TLS] Proposal for hybrid solution using most of the ideas

To: david-sarah at jacaranda.org (David-Sarah Hopwood)
Subject: Re: [TLS] Proposal for hybrid solution using most of the ideas
From: Martin Rex <mrex at sap.com>
Date: Thu, 19 Nov 2009 22:23:43 +0100 (MET)
Cc: tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <4B05AA7C.2000805 at jacaranda.org> from "David-Sarah Hopwood" at Nov 19, 9 08:28:44 pm
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Reply-to: mrex at sap.com

David-Sarah Hopwood wrote:
> 
> >> because the server needs to be patched in order for a renegotiating
> >> handshake to succeed. If it is patched, then it is TLS- and
> >> extension-tolerant.
> > 
> > That may be(come) true,
> 
> It is true by definition, since a TLS- or extension-intolerant server
> wouldn't conform to the spec for the patch.

Mind you, extension-tolerant isn't sufficient for TLS extension RI.

MSIE8 on Windows2008 will send 4 extension already, and
TLS extension RI would be the 5th.  So you need to make sure
that you code can weed out the TLS extension RI from anywhere
within the extensions list when you're newly adding it to
a codeline that doesn't have TLS extensions support yet,
in order to be interoperable.

Asking SSLv3 implementations to improve on their extensions-intolerance
is still OK.  Requiring them to implement generic TLS extensions
is not, because it has nothing to do with the problem and is
an unnecessary complexity for the fix.

-Martin

Follow-Ups:
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: Chris Newman
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: David-Sarah Hopwood

References:
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: David-Sarah Hopwood

Prev by Date: Re: [TLS] Need for S->C signaling
Next by Date: Re: [TLS] Need for S->C signaling
Previous by thread: Re: [TLS] Proposal for hybrid solution using most of the ideas
Next by thread: Re: [TLS] Proposal for hybrid solution using most of the ideas
Index(es):
- Date
- Thread

Re: [TLS] Proposal for hybrid solution using most of the ideas

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.