ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard

2015-01-12 09:07:18
from [Salz, Rich] [Permanent Link] 
The mechanism it fixes (the browser's special downgrade of TLS) is not an
IETF protocol, nor related to the TLS WG. Making this a proposed standard,
would imply that the flawed technique is into standards track. I believe that
this text should be informational.


I disagree.  Just because it addresses one common behavior, defining semantics 
for a client to say "I tried better, this is what I have now" and the related 
server semantics is a very good thing.  It keeps the  client/server interaction 
stateless (well on the server side) across multiple connections.

--  
Principal Security Engineer, Akamai Technologies
IM: rsalz(_at_)jabber(_dot_)me Twitter: RichSalz
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard, Nikos Mavrogiannopoulos
Next by Date:  RE: [saag] i18n requirements (was: Re: NF* (Re: PKCS#11 URI slot attributes & last call)), Salz, Rich
Previous by Thread:  Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard, Bodo Moeller
Next by Thread:  Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard, Colm MacCárthaigh
Indexes:  [Date] [Thread] [Top] [All Lists]