Re: [TLS] Thoughts on Version Intolerance

2016-07-20 Thread Martin Rex
Hubert Kario wrote: > Martin Rex wrote: >> >> Forget TLS extensions, forget ClientHello.client_version. >> Both in fundamentally broken, and led to Web Browsers coming up >> with the "downgrade dance" that is target of the POODLE attack. >> >> We know fairly reliably what kind of negotiation

Re: [TLS] Thoughts on Version Intolerance

2016-07-20 Thread Benjamin Kaduk
On 07/20/2016 05:01 AM, Hanno Böck wrote: > On Wed, 20 Jul 2016 11:20:46 +0200 > Hubert Kario wrote: > >> so it looks to me like while we may gain a bit of compatibility by >> using extension based mechanism to indicate TLSv1.3, > Just quick: This was discussed yesterday, David

Re: [TLS] Resumption Contexts and 0-RTT Finished

2016-07-20 Thread Benjamin Kaduk
On 07/20/2016 12:42 AM, Hugo Krawczyk wrote: > > Actually, I would suggest that for any such value, we add "collision > resistance" to the label for that derivation - this would apply to > resumption/PSK context and to Exporter key (and possibly others) > Seems reasonable; space in the label is

Re: [TLS] Thoughts on Version Intolerance

2016-07-20 Thread Hubert Kario
On Wednesday, 20 July 2016 14:49:03 CEST Kyle Rose wrote: > > it's not IETF's fault that the implementers add unspecified by IETF > > restrictions and limitations to parsers of Client Hello messages or that > > they can't handle handshake messages split over multiple record layer > > messages,

Re: [TLS] Thoughts on Version Intolerance

2016-07-20 Thread Hubert Kario
On Wednesday, 20 July 2016 12:14:01 CEST Martin Rex wrote: > Hanno Böck wrote: > > Checking application/pgp-signature: FAILURE > > > Hubert Kario wrote: > >> so it looks to me like while we may gain a bit of compatibility by > >> using extension based mechanism to indicate

Re: [TLS] Thoughts on Version Intolerance

2016-07-20 Thread Martin Rex
Hanno Böck wrote: Checking application/pgp-signature: FAILURE > Hubert Kario wrote: > >> so it looks to me like while we may gain a bit of compatibility by >> using extension based mechanism to indicate TLSv1.3, Forget TLS extensions, forget ClientHello.client_version. Both

Re: [TLS] Thoughts on Version Intolerance

2016-07-20 Thread Hanno Böck
On Wed, 20 Jul 2016 11:20:46 +0200 Hubert Kario wrote: > so it looks to me like while we may gain a bit of compatibility by > using extension based mechanism to indicate TLSv1.3, Just quick: This was discussed yesterday, David Benjamin had an interesting proposal, but it was

Re: [TLS] Thoughts on Version Intolerance

2016-07-20 Thread Hubert Kario
On Monday, 18 July 2016 15:08:03 CEST Hubert Kario wrote: > On Monday 18 July 2016 13:08:43 Hanno Böck wrote: > > * We don't have good data on the issue. The latest numbers I could find > > > > came from Ivan Ristic in 2013 [4], and from David Benjamin we know he > > considers the problem to