On Fri, Oct 9, 2015 at 2:23 AM, Eric Rescorla <e...@rtfm.com> wrote: > Please take a look at the following PR which documents a suggestion > made by Karthik Bhargavan about how to prevent protection against > downgrade against downgrade from TLS 1.3 to TLS 1.2 and below. > > https://github.com/tlswg/tls13-spec/pull/284 > > The idea is that if a TLS 1.3 server receives a TLS 1.2 or below > ClientHello, it sets the top N bits of the ServerRandom to be a > specific fixed value. >
1. Why would the server ever receive a TLS 1.2 or below ClientHello from a client that supports TLS 1.3? Why doesn't the already-standardized downgrade SCSV mechanism work for those cases? 2. My understanding is that every TLS 1.3 ClientHello contains a ClientKeyShare extension and that no TLS 1.2 or below ClientHello contains a ClientKeyShare extension. Therefore, the presence or absence of the ClientKeyShare extension already signals whether the client is attempting a TLS 1.3 handshake, or a handshake for a lower TLS version. Thus, also specifying ClientHello.client_version = 0x0304 is redundant. And, we've already seen clear evidence that ClientHello.client_version = 0x0304 leads to severe compatibility issues. So, why not just use ClientHello.client_version = 0x0303 and rely on the presence of the ClientKeyShare extension to disambiguate TLS 1.3 vs TLS 1.2 or below? Cheers, Brian
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
