Re: Identity Checking in Application Protocols

To: Alexey Melnikov <alexey.melnikov at isode.com>
Subject: Re: Identity Checking in Application Protocols
From: Peter Saint-Andre <stpeter at stpeter.im>
Date: Tue, 27 Oct 2009 15:28:40 -0600
Cc: "apps-discuss at ietf.org" <apps-discuss at ietf.org>
Delivered-to: apps-discuss at core3.amsl.com
In-reply-to: <4AE6CB4E.9030701 at isode.com>
List-archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-post: <mailto:apps-discuss@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
Openpgp: url=http://www.saint-andre.com/me/stpeter.asc
References: <4AE62AB7.8080607 at stpeter.im> <4AE6CB4E.9030701 at isode.com>
User-agent: Thunderbird 2.0.0.23 (Macintosh/20090812)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/27/09 4:28 AM, Alexey Melnikov wrote:
> Hi Peter,
> 
> Peter Saint-Andre wrote:
>> I had hoped to update draft-saintandre-tls-server-id-check before the
>> submission cutoff today, but it's not going to happen because there's
>> quite a bit of feedback to sift through (ideally I would have followed
>> the list discussions more closely the first time around).  However, I
>> shall work to update it in the next few days, at which time I will also
>> rename it to remove the strings "tls" and "server" since the scope of
>> the spec has widened to include non-TLS interactions as well as client
>> identity checking. My apologies for the delay.
>>   
> Without my AD hat: I don't think the document should cover client
> identity checking. I found Kurt's arguments to be convincing.

I think that the distinction between application roles and security
roles causes some confusion here. This I-D talks about security roles,
not application roles. Thus, for example, when two XMPP servers wish to
establish a TLS-encrypted connection, from the security point of view
the server that initiates the connection is a TLS client whereas the
server that receives the connection is a TLS server (despite the fact
that from an application point of view both of them are XMPP servers).

My understanding of Kurt's argument is that we can't say much that's
helpful about how a TLS server checks the identity of a TLS client
because the problem is application-specific and the TLS server doesn't
really have a "reference identity" (an idea of what identity the client
will assert). At some level, the TLS server knows that it expects the
TLS client to assert a kind of identity (domain name, email address,
XMPP address, etc.) but not necessarily a particular instance of that
kind ("example.com", "foo at example.com", or whatever).

I need to think about this further. I'm sure that re-reading Kurt's
messages will help...

Peter

- --
Peter Saint-Andre
https://stpeter.im/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrnZggACgkQNL8k5A2w/vzVlgCgjcykxNdhldEtUN2b+Nex2nmN
uK8Anibo46ElJYq1NwYJsOFohTvb3nkK
=BVDg
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: Identity Checking in Application Protocols
  - From: tom.petch

References:
- Identity Checking in Application Protocols
  - From: Peter Saint-Andre
- Re: Identity Checking in Application Protocols
  - From: Alexey Melnikov

Prev by Date: RE: host-meta: template syntax hassles
Next by Date: Re: Identity Checking in Application Protocols
Previous by thread: Re: Identity Checking in Application Protocols
Next by thread: Re: Identity Checking in Application Protocols
Index(es):
- Date
- Thread

Re: Identity Checking in Application Protocols

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.