Eric Rescorla <e...@networkresonance.com> writes: >At Tue, 20 Jan 2009 17:57:09 +1300, Peter Gutmann wrote: >> "Steven M. Bellovin" <s...@cs.columbia.edu> writes: >> >> >So -- who supports TLS 1.2? >> >> Not a lot, I think. The problem with 1.2 is that it introduces a pile of >> totally gratuitous incompatible changes to the protocol that require quite a >> bit of effort to implement (TLS 1.1 -> 1.2 is at least as big a step, if not >> a >> bigger step, than the change from SSL to TLS), complicate an implementation, >> are difficult to test because of the general lack of implementations >> supporting it, and provide no visible benefit. Why would anyone rush to >> implement this when what we've got now works[0] just fine? > >Ordinarily I wouldn't bother to respond to Peter's curmudgeon act,
:-). >but since I was obviously heavily involved with TLS 1.2, I think a bit of >context is in order. I'm aware of why the changes were made, but the point of my comment was to explain their consequences in the lack of support for TLS 1.2. I had (AFAIK) one of the first implementations of TLS 1.1, an incremental upgrade of TLS 1.0 (and then had some fun trying to find things to interop against) but for TLS 1.2 I haven't implemented it and have no plans to implement it because it provides absolutely no benefit over TLS 1.1 and a great many downsides. >Yes, the changes between TLS 1.1 and TLS 1.2 are about as big as those >between SSL and TLS. I'm not particularly happy about that either, but it's >what we felt was necessary to do a principled job. It may have been a nicely principled job but what actual problem is the switch in hash algorithms actually solving? Making changes of such magnitude to a very, very widely-deployed protocol is always a tradeoff between the necessity of the change and the pain of doing so. In TLS 1.2 the pain is proportionate to the scale of the existing deployed base (i.e. very large) and the necessity of doing so appears to be zero. I don't know of any attack or threat to the existing dual-hash mechanism that TLS 1.2 addresses, and it may even make things worse by switching from the redundant dual-hash (a testament to the original SSL designers) to a single algorithm. This is why I called the changes "gratuitous", there is no threat that they address - it can even be argued (no doubt endlessly) that they make the PRF weaker rather than stronger - but they come at considerable cost. SSL/TLS is (and has been for many years) part of the Internet infrastructure. You don't make significant, totally incompatible changes to the infrastructure without very carefully weighing the advantages and disadvantages. Maybe there'll be a sudden flood of unexpected TLS 1.2 implementations right after I post this, but at the moment it seems that implementors have weighed up the cost and said "no thanks". Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com