Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-renegotation: next steps
"Kemp, David P." <DPKemp@missi.ncsc.mil> Wed, 16 December 2009 20:01 UTC
Return-Path: <DPKemp@missi.ncsc.mil>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B11953A6900 for <tls@core3.amsl.com>; Wed, 16 Dec 2009 12:01:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.799
X-Spam-Level:
X-Spam-Status: No, score=-5.799 tagged_above=-999 required=5 tests=[AWL=0.800, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mhZgWe0bPvSN for <tls@core3.amsl.com>; Wed, 16 Dec 2009 12:01:34 -0800 (PST)
Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by core3.amsl.com (Postfix) with ESMTP id C15893A67F3 for <tls@ietf.org>; Wed, 16 Dec 2009 12:01:34 -0800 (PST)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 16 Dec 2009 15:00:39 -0500
Message-ID: <200912162001.nBGK1K4I028293@stingray.missi.ncsc.mil>
In-Reply-To: <4B292A00.5020901@extendedsubset.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [POSSIBLE SPAM] Re: [TLS] draft-ietf-tls-renegotation: next steps
Thread-Index: Acp+f7COvwxtpENISPu5YWrLxwi2EQAArVJw
References: <200912161658.nBGGwZDb003213@fs4113.wdf.sap.corp> <4B292A00.5020901@extendedsubset.com>
From: "Kemp, David P." <DPKemp@missi.ncsc.mil>
To: tls@ietf.org
X-OriginalArrivalTime: 16 Dec 2009 20:01:42.0578 (UTC) FILETIME=[964E4920:01CA7E8A]
Subject: Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-renegotation: next steps
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2009 20:01:35 -0000
Martin's text contradicts the AD's decision ... Pasi wrote: > - There was some discussion on whether to add the magic cipher suite > to patched renegotiation ClientHellos (in addition to the extension), > too. I believe rough consensus is not to do this. In addition, the logic of not permitting RI unless some other extension is used is dubious. A client with no need to cater to servers that are both broken and unpatched should not be forced to gin up some other extension just so it will be allowed to send an empty RI. Put me down in favor of the existing text: > TLS clients which support this draft MUST generate either the > "renegotiation_info" extension or the TLS_RENEGO_PROTECTION_REQUEST > cipher suite with every ClientHello. ... with possible addition of "or both" just to be perfectly clear that "either" means or, not exclusive-or. Dave -----Original Message----- From: tls-bounces@ietf.org [mailto:tls-bounces@ietf.org] On Behalf Of Marsh Ray Sent: Wednesday, December 16, 2009 1:42 PM To: mrex@sap.com Cc: tls@ietf.org Subject: [POSSIBLE SPAM] Re: [TLS] draft-ietf-tls-renegotation: next steps Importance: Low Martin Rex wrote: > > One possible semantic that would address my technical issues > would be along these lines: > > All conforming Clients MUST include the cipher suite value > TLS_RENEGO_PROTECTION_REQUEST in the cipher_suites list of _every_ > ClientHello handshake message they send. This includes clients that > do not implement renegotiation or have it disabled. This cipher > suite value MAY appear anywhere in the cipher_suites list. > > Conforming clients that compose an initial ClientHello handshake > messages with other TLS extensions, MAY additionally include > an empty TLS extension "renegotiation_info". Current wording http://tools.ietf.org/html/draft-ietf-tls-renegotiation-01 > TLS clients which support this draft MUST generate either the > "renegotiation_info" extension or the TLS_RENEGO_PROTECTION_REQUEST > cipher suite with every ClientHello. I expect it will be reiterated in the next revision. How does this not address the fundamental issue? (Other than it doesn't provide assistance to an implementation which chooses to conduct an insecure negotiation and subsequent insecure renegotiation with an old unpatched extensions-intolerant server). And if not, does anyone propose wording that substantially improves it without changing the current cryptographic computations (e.g., the PRF inputs)? Short and to the point please! - Marsh _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- [TLS] draft-ietf-tls-renegotation: next steps Pasi.Eronen
- Re: [TLS] draft-ietf-tls-renegotation: next steps Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next steps Paul Hoffman
- Re: [TLS] draft-ietf-tls-renegotation: next steps Michael D'Errico
- Re: [TLS] draft-ietf-tls-renegotation: next steps Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next steps Marsh Ray
- Re: [TLS] draft-ietf-tls-renegotation: next steps Eric Rescorla
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Kemp, David P.
- Re: [TLS] draft-ietf-tls-renegotation: next steps Marsh Ray
- Re: [TLS] draft-ietf-tls-renegotation: next steps Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Marsh Ray
- [TLS] Generic process issues (Re: Re: draft-ietf-… Nicolas Williams
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Marsh Ray
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next steps David-Sarah Hopwood
- Re: [TLS] draft-ietf-tls-renegotation: next steps David-Sarah Hopwood
- Re: [TLS] draft-ietf-tls-renegotation: next steps Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Marsh Ray
- Re: [TLS] draft-ietf-tls-renegotation: next Pasi.Eronen
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next Marsh Ray
- Re: [TLS] draft-ietf-tls-renegotation: next Kyle Hamilton
- Re: [TLS] draft-ietf-tls-renegotation: next Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next Michael D'Errico
- Re: [TLS] draft-ietf-tls-renegotation: next David-Sarah Hopwood