Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallbac

ietf

[Top] [All Lists]

<prev [Date] next>

<prev [Thread] next>

Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard

2015-01-12 09:02:59

from [Bodo Moeller]

[Permanent Link]

Nikos Mavrogiannopoulos <nmav(_at_)redhat(_dot_)com>:


[...] However, if you think that
this has to be on standards track, please provide at least some
argumentation for it.


draft-ietf-tls-downgrade-scsv-03 mandates server-side behavior (in response
to certain Client Hello messages) that requires wide deployment to achieve
the desired effect, hence Standards Track seems appropriate and
Informational status would be insufficient.

I don't agree with your assessment that "Making this a proposed standard,
would imply that the flawed technique is into standards track."
draft-ietf-tls-downgrade-scsv-03
does not say that clients should implement a downgrade dance, it merely
recommends sending a certain signal *if* they choose to do so.

Also note that the point that some clients may use downgraded retries for
compatibility with buggy servers *is* already acknowledged by Standards
Track RFCs, e.g. RFC 5246 Appendix E.1:  "Note: some server implementations
are known to implement version negotiation incorrectly. [...]
Interoperability with such buggy servers is a complex topic beyond the
scope of this document, and may require multiple connection attempts by the
client."

Bodo

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard, Nikos Mavrogiannopoulos Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard, Stephen Farrell Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard, Nikos Mavrogiannopoulos Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard, Stephen Farrell Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard, Nikos Mavrogiannopoulos Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard, Bodo Moeller <= RE: Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard, Salz, Rich Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard, Colm MacCárthaigh Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard, Hanno Böck Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard, Adam Langley Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard, Brian Smith Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard, Martin Rex Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard, Martin Rex Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt>, Michael D'Errico Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt>, Hubert Kario Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt>, Henrik Grubbström

Previous by Date:	RE: Last Call: <draft-ietf-ippm-rate-problem-08.txt> (Rate Measurement Test Protocol Problem Statement) to Informational RFC, MORTON, ALFRED C (AL)
Next by Date:	Re: Last Call: <draft-ietf-httpbis-http2-16.txt> (Hypertext Transfer Protocol version 2) to Proposed Standard, Constantine A. Murenin
Previous by Thread:	Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard, Nikos Mavrogiannopoulos
Next by Thread:	RE: Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard, Salz, Rich
Indexes:	[Date] [Thread] [Top] [All Lists]