On Wed, Mar 28, 2012 at 10:39 AM, Mohamad Badra <mbadra@...> wrote:
> Marsh Ray <marsh@...> wrote:
>> I realize RI uses an SCSV, but it was clearly an exceptional case.
>> On Wed, Mar 28, 2012 at 9:56 AM, Nikos Mavrogiannopoulos <nmav@...>
>>> I don't see any reason to define an SCSV ciphersuite,
> Weren't it possible to avoid using SCSV in rfc5746? What are the
> requirements to justify exceptional cases there but not here?
The SCSV in RFC 5746 was required to avoid downgrade attacks
by simulating faulty extension processing. However, in the case
of this draft, an SCSV does not prevent downgrade attacks, so
there is no reason not to use an extension.