On Sun, 2015-01-11 at 00:48 +0000, Stephen Farrell wrote: > Hi Nikos, > >> The IESG plans to make a decision in the next few weeks, and solicits > >> final comments on this action. Please send substantive comments to the > >> ietf@xxxxxxxx mailing lists by 2015-01-23. Exceptionally, comments may be > >> sent to iesg@xxxxxxxx instead. In either case, please retain the > >> beginning of the Subject line to allow automated sorting. > >> This document defines a Signaling Cipher Suite Value (SCSV) that > >> prevents protocol downgrade attacks on the Transport Layer Security > >> (TLS) protocol. It updates RFC 2246, RFC 4346, and RFC 5246. > > The "TLS Fallback Signaling Cipher Suite" fix cannot be a proposed standard. > > The mechanism it fixes (the browser's special downgrade of TLS) is not an IETF > > protocol, nor related to the TLS WG. Making this a proposed standard, would > > imply that the flawed technique is into standards track. > I don't believe that that last conclusion follows. AFIAK there is > nothing to prevent the IETF standardising a fix for someone else's > or even our own past mistakes(*) even when those mistakes are not > on the standards track. And if in fact stardardising the "fix" > improves the Internet, then we should do that as the set of folks > responsible for this technology. (If doing so has IETF consensus.) It's not up to me to say whether there was consensus for this draft or not. I voiced my opinion against that draft. However, if you think that this has to be on standards track, please provide at least some argumentation for it. As far as I understand, this fix exists because Microsoft, Google and Mozilla cannot coordinate and drop their insecure negotiation of TLS. regards, Nikos