Chris Newman wrote:
Evaluation relative to draft-mrex-tls-secure-renegotiation-03:
Kudos to Martin Rex for producing such a good alternate proposal. The
introductory text up to and including section 4.1 is very good and would
improve draft-ietf-tls-renegotiation. While I would support a consensus to
publish the mrex document as the solution, I presently prefer
draft-ietf-tls-renegotiation-01 for four reasons:
1. Running code: multiple implementations and interop testing was
performed on an earlier version of draft-ietf-tls-renegotiation.
Even EKR admitted that implementing the update is an insignificant
amount of work.
Pushing this point, that there were interoperable implementations
when this proposal was made in the IETF smells very much like
a request for rubber stamping.
2. Impact to core protocol handshake: The mrex proposal alters the
handshake to include data that is not exchanged in-protocol.
If this impacts PKCS#11 hardware tokens or other SSL accelerators
(an issue mentioned by Dr Stephen Henson on the TLS list on
that could severely impact deployment.
Crypto hardware in general and PKCS#11 are not affected. What I am
changing is the plaintext input to a hash or hash-like function.
What might be affected is hardware implementations of SSL/TLS
or hardware-support for SSL/TLS in TLS endpoints. It might be
a firmware rather than hardware issue there.
So far, I haven't seen any vendor/implementor that is facing such
difficulties raising such concerns.
Which could mean two things:
1. there is no problem
2. those vendors/implementors have not looked at / evaluated
the current proposals.
(1) would make it a non-issue and (2) would indicate than a decision
in the IETF is _premature_, we would have to ask some of those
vendors/implementers for feedback before making a decision.
4. The mrex proposal requires use of TLS_RENEGO_PROTECTION_REQUEST in some
circumstances. That approach is untested in the field and I have
concerns it will negatively impact middleboxes.
Huh? That sounds extremely unbelievable.
Do any of the browser vendors cut down on ciphersuites in their
current reconnect fallbacks -- and remove ciphersuites like
those with AES?
A quick glance indicates that Firefox 3.0.15 happily sends
a list of 18 ciphersuites, including Camellia, in an SSLv2 ClientHello
on reconnect fallback.
As draft-ietf-tls-renegotiation allows use of either the cipher suite
value or the extension for C->S signaling, that mitigates the concern --
the field can choose the mechanism that works best.
I consider this a defect in draft-ietf-tls-renegotiation-01.
There should be exactly **ONE** signaling mechanism for the initial
ClientHello on a connection so that extensions-tolerant but
extensions-free Servers will not be force to wade through lists
of extensions sent by clients.
The existing fallbacks or conservative approaches give you a hint
where you may expect interop problems. TLS extensions are a known
interop problem.
My take on some controversial issues:
* There may not be a sufficient number of "extension intolerant" SSL/TLS
servers in operation to justify the added complexity of
TLS_RENEGO_PROTECTION_REQUEST. However, I do not object to inclusion as
it's possibly helpful for some alleged extension intolerant servers
compliant with early drafts of SSLv3 and it helped move closer to WG
consensus.
That cipher suite value is definitely not added complexity.
On the contrary, it is significantly reduced complexity.
We are not discussing about a new optional feature here, but instead
about something that should be patched into as many old clients and
servers as possible. And a number of clients MUST remain interoperable
with servers that will _not_ be patched. Therefore requiring anything
that will break interop in the productive installed base is completely
inacceptable when it can be avoided (which it easily can be).
-Martin
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf