[145198] in cryptography@c2.net mail archive
Re: "Against Rekeying"
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Fri Mar 26 12:02:33 2010
From: "Perry E. Metzger" <perry@piermont.com>
To: cryptography@metzdowd.com
Date: Fri, 26 Mar 2010 10:23:57 -0400
Also manually forwarded on behalf of Peter Gutmann. As before, if you
reply, don't credit me with the text, it is his.
>From pgut001 Fri Mar 26 14:44:54 2010
To: ben@links.org, Nicolas.Williams@sun.com
Subject: Re: "Against Rekeying"
Cc: cryptography@metzdowd.com, perry@piermont.com, simon@josefsson.org
In-Reply-To: <20100325160755.GF21244@Sun.COM>
Nicolas Williams <Nicolas.Williams@sun.com> writes:
>I suspect that what happened, ultimately, is that TLS re-negotiation was an
>afterthought, barely mentioned in the TLS 1.2 RFC and barely used, therefore
>many experts were simply not conscious enough of its existence to care.
I think that was a significant problem with noticing this, that many
implementors may have looked at it, decided it was a nightmare to implement,
served no really obvious purpose once 40-bit keys had gone the way of the
dodo, and was a significant source of future problems (see my previous
message), and so never bothered with it. As a result it never got much
attention, as do significant chunks of other security protocols. I think the
real skill in security protocol implementation isn't knowing what to
implement, but knowing what not to implement (I've had an attack-surface-
reduced SSH draft in preparation for awhile now, I really must get back to the
some time).
One nice thing about being the author of a crypto toolkit is that you can
experiment with this, either skipping features or turning existing features
off in new releases, to see if anyone notices. If no-one does, you leave them
turned off. You can turn off an awful lot of security-protocol "features"
before people start to notice, leading me to believe that a scary portion of
many protocols actually consist of attack surface and not features.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
