On Monday 17 August 2015 15:02:46 Ilari Liusvaara wrote: > On Mon, Aug 17, 2015 at 06:22:04AM -0400, Yaron Sheffer wrote: > > Below a long list of comments, generally minor. The document is > > already very good - we're making great progress!<br> > > > > The record length field is limited by encrypted-length+2048. > > > > Shouldn't it be 1024? - "Each AEAD cipher MUST NOT produce an > > expansion of greater than 1024 bytes". > > Actually, I think both should be 256 (256-byte expansion from AEAD > is already quite much). > > (This was proposed a while back).
I don't think this adds anything while introducing requirement of adding additional "if" to implementations that support also TLS1.2 and lower > > D.1.2: do we really need to worry about version rollback to > > > > SSLv2? I suggest to remove this section. > > Well, it is not possible to even try to negotiate TLS 1.3 using SSLv2 > compat. hello, since that can't transmit extensions, but at least one > extension is REQUIRED in order to successfully negotiate TLS 1.3. > > And the second paragraph seems to be about RSA key exchange, which > isn't supported anymore in TLS 1.3. > > Yes, the section looks like it could be removed. OTOH, TLS1.3 is not a superset of TLS1.2 so we need to think about downgrade to TLS1.2. > But that isn't the only way rollback attacks can occur, also some > clients can be coaxed to downgrade by selectively blocking connections. > Unfortunately the intolerance to TLS 1.3 is so bad that many clients > will likely be willing to perform unauthenticated downgrade to TLS > 1.2 (and FALLBACK_SCSV is useless here). how is it useless? A server which support at most TLS1.2 that receives a TLS1.2 client hello with FALLBACK_SCSV MUST continue the connection with TLS1.2 -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls