Benjamin Kaduk wrote: > > Some other editorial nits follow. > > In section 4, "these cipher suites MUST NOT be negotiated in TLS > versions prior to 1.2" should probably clarify that "these" cipher > suites are the new ones specified by this document. This reminds me of the specification goofs in several TLSv1.2-related documents about AEAD cipher suites which are responsible for the viability of the POODLE attack and other exploitable fallback hacks. It would be much preferable to avoid/fix those problems and facilitate the migration to and use of TLSv1.2 without failing TLS handshakes and band aids such as TLS_FALLBACK_SCSV Suggested improvement: The cipher suites defined in this document make use of the authenticated encryption with additional data (AEAD) defined in TLS 1.2 [RFC5246] and DTLS 1.2 [RFC6347]. Earlier versions of TLS do not have support for AEAD and consequently, these cipher suites MUST NOT - be negotiated in TLS versions prior to 1.2. Clients MUST NOT offer - these cipher suites if they do not offer TLS 1.2 or later. Servers, - which select an earlier version of TLS MUST NOT select one of these - cipher suites. A client MUST treat the selection of these cipher - suites in combination with a version of TLS that does not support - AEAD (i.e., TLS 1.1 or earlier) as an error and generate a fatal - 'illegal_parameter' TLS alert. + A client that offers + the cipher suites from this document in ClientHello.cipher_suites + in combination with (3,1) "TLSv1.0" or (3,2) "TLSv1.1" in + ClientHello.client_version MUST support TLSv1.2 and MUST accept + the server to negotiate TLSv1.2 for the current session. If the + client does not support TLSv1.2 or is not willing to negotiate TLSv1.2, + then this client MUST NOT offer any of these cipher suites with a + lower protocol version than (3,3) "TLSv1.2" in ClientHello.client_version. + A server receiving a ClientHello and a client_version indicating + (3,1) "TLSv1.0" or (3,2) "TLSv1.1" and any of the cipher suites from + this document in ClientHello.cipher_suites can safely assume that the + client supports TLSv1.2 and is willing to use it. The server MUST + NOT negotiate these cipher suites with TLS protocol versions earlier + than TLSv1.2. + + Not requiring clients to indicate their support for TLSv1.2 cipher + suites exclusively through ClientHello.client_hello improves the + interoperability in the installed base and use of TLSv1.2 AEAD + cipher suites without upsetting the installed base of version-intolerant + TLS servers, results in more TLS handshakes succeeding and obviates + fallback mechanisms. -Martin