Re: [TLS] merging recent ideas into one new proposal

To: stefan at aaa-sec.com (Stefan Santesson)
Subject: Re: [TLS] merging recent ideas into one new proposal
From: Martin Rex <mrex at sap.com>
Date: Sat, 21 Nov 2009 02:08:57 +0100 (MET)
Cc: tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <C72CDA81.67FD%stefan at aaa-sec.com> from "Stefan Santesson" at Nov 20, 9 11:45:05 pm
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Reply-to: mrex at sap.com

Stefan,

Stefan Santesson wrote:
> 
> The repurposing of basic protocol elements smells too much like
> an ugly hack to me. It give me all kinds of bad vibes.
> 
> I liked the old proposal better.

Thanks for the feedback.  When I just started to describe the architecture
of storing the verify_data of the previous Finished message in the
Hello.Random, I realized that interop-testing this would not provide
any proof that an implementation was no longer vulnerable,
i.e. it's a fail UNsafe design just like TLS extension RI.

So I'm going to complete the I-D with the last design, based
on "manually" adding the verify_data to the handshake hashes
and S->C signaling through server_version.

-Martin

PS: I still like Steve's idea, though.  It would be fairly symmetric
in signaling: the Client offers a magic cipher suite for a modified
protocol first in his list of cipher_suites and the server agrees
to use it and sends it back in ServerHello.cipher_suite.

With the same symmetry, 32-bit of Hello.Random are re-purposed.
The negotiation through the ciphersuite would make this re-purposing
of the Hello.Random bits non-ambiguous and one could add
16 bidirectional signaling bits of extensibility for use by TLS WG.

If the information that you want to negotiate with your peer amounts
to essentially one bit, then a TLS extension is a pretty big
wrapping.  What would you say if your super-market would 
sell 1 quart of milk only in a box of lead that weighs 80lbs ?

References:
- Re: [TLS] merging recent ideas into one new proposal
  - From: Stefan Santesson

Prev by Date: Re: [TLS] merging recent ideas into one new proposal
Next by Date: Re: [TLS] Another critical problem with RI
Previous by thread: Re: [TLS] merging recent ideas into one new proposal
Next by thread: Re: [TLS] Need for S->C signaling
Index(es):
- Date
- Thread

Re: [TLS] merging recent ideas into one new proposal

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.