On Sunday, June 11, 2017 11:18:03 am Eric Rescorla wrote: > Here's what I propose to do: [...] > - Mandate (SHOULD-level) that servers do some sort of bounded > (at-most-N times) anti-replay mechanism and emphasize that > implementations that forbid replays entirely (only allowing > retransmission) are superior. [...] > Here's what I do not intend to do. [...] > - Mandate (MUST-level) any anti-replay mechanism. I do not believe > there is any WG consensus for this.
Whilst bounded replay protection isn't ideal, I wasn't aware of it being opposed to the point where we couldn't make it the bare minimum. There really needs to be some floor to the mess here. If I've followed all of the discussion accurately, there may be a rough consensus that mandating with a MUST-level _some_ kind of anti-replay mechanism which MAY be implemented at the application layer as appropriate. (with a SHOULD-level requirement that it be done in the TLS implementation; MUST-level if we can actually agree to mandate bounded as a minimum, with better handling at the application level) In other words, either the TLS implementation MUST have replay protection or the application protocol profile MUST have its own replay protection (instead, or preferably in addition to a bare minimum). Replay protection would be required by TLS, but could be delegated to the application; people that want to do really unsafe stuff can define its replay handling mechanics there. This (heavily qualified) set of requirements would define TLS to be safe, so long as people stay within the known bounds laid out by the spec and profile(s) (with the potential for dubious profiles hand waved away...). Dave _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
