Hiya, On 19/12/17 01:59, Salz, Rich wrote: > However, since extension numbers are essentially infinite, this WG may > consider renumbering key_share to avoid the issue. > >> I think this would be fine, but not imperative. > > I think it would almost be hypocritical if we did not do it. >
I'm not sure I agree renumbering is the right reaction, though I don't object to that. This could be a case where it's overall better that those specific devices suffer breakage, and hopefully then do get firmware updated to support TLS1.3 or TLS-without-extended-random-or-dual-ec at some point. WRT extended-random, it seems like the IETF process did work, in that we dropped the work. However, it may also be the case that the attacker's process (if one assumes that somewhere in the background (*) there was an attacker who wanted dual-ec attacks to be more efficient) also worked to at least some extent in that they got that to be deployed in some places, presumably at least partly based on the existence of the (then expired?) draft. I wonder if that argues for some kind of "dropped as a very bad idea" tombstone draft (or even RFC) for such cases? I can imagine that the IETF or TLS WG could do that, but I'm not sure if it'd have helped the developers of bsafe or those printers avoid the problem if such a thing had existed. In the case of extended-random, it is now clear that it is a very bad idea, even if that wasn't the case when the WG chose to not proceed with the work, so such a tombstone draft or RFC could be easily done and could possibly be useful. (I'm about half-convinced of that;-) One reason to think about this is that we have some more-current bad-idea drafts (e.g. draft-green) that we know are dead, but folks not involved in the WG might not be aware of that, so it could be good if those were somewhat more officially put to rest than just sitting forever as expired I-Ds. It'd be a fine thing if the authors of such drafts did that themselves of course, but if not, I'd volunteer to help:-) Cheers, S. (*) To be clear, I am not at all saying the authors of the extended-random draft were part of any attack. If I were the bad actor in such a case, I'd ensure the names that were public weren't in on the plan.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
