I spoke at length with Larry.
His concern is that the word "conenction" might be taken to mean "TCP
connection" or "connection for the transport below TLS".
Clearly it is not reasonable to expect to extract the TLS channel
binding from the "connection for the transport below TLS"!
Larry's proposal to say "session" was only to make that confusion go
away, but that proposal is very difficult to implement (as I described
separately already).
Larry has indicated to me (and I expect will indicate on the list in
reply to this email) that he will be happy if we simply clarify that
"TLS connection" refers to the TLS state, NOT to the transport below.
Unfortunately RFC5246 does not seem to have a term by which to refer the
"TLS connection" unambiguously: "connection" is defined in the glossary
(page 80) to mean that which Larry doesn't want (underlying transport),
but then, in section 6.1 RFC5246 quite clearly uses the word
"connection" to refer to "TLS connection", not to the underlying
transport.
Thus this is a simple matter of wordsmithing.
Another problem that Larry has is that in his implementation what I call
a "TLS connection" is called a "security context", and if the
application re-handshakes (e.g., to authenticate a user) then the result
is a second security context -- we need to be extra clear that it's the
client Finished message from the _first_ "security context" that we're
after.
My proposal, then, is this:
OLD:
Description: The client's TLS Finished message (note: the Finished
struct) from the first handshake of the connection (note: connection,
not session, so that the channel binding is specific to each
connection regardless of whether session resumption is used).
NEW:
Description: The client's TLS Finished message (note: the Finished
struct) from the first handshake of the application's TLS connection.
NOTES:
a) If a session is resumed, the client's TLS Finished message from
the session resumption handshake is to be used;
b) If a client does multiple TLS handshakes in sequence, each
protected by the previous one, then the client's TLS Finished
message from the first/outermost TLS connection is to be used;
c) By "TLS connection" we refer to the TLS connection state, not to
any notion of connection of any underlying transport protocols
(such as TCP, UDP, SCTP, etcetera).
I'm not sure that we can make it any clearer.
Larry, please review.
Martin, please review.
Nico
--
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.