[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [sasl] [TLS] RESOLVED (Re: lasgt call comments (st Call:

From: Martin Rex <Martin.Rex at sap.com>
To: Nicolas.Williams at sun.com (Nicolas Williams)
Cc: channel-binding at ietf.org, sasl at ietf.org, tls at ietf.org
Date: Mon, 2 Nov 2009 15:59:44 +0100 (MET)
In-reply-to: <20091030223647.GO1105 at Sun.COM> from "Nicolas Williams" at Oct 30, 9 05:36:48 pm

Nicolas Williams wrote:
> 
> Another problem that Larry has is that in his implementation what I call
> a "TLS connection" is called a "security context", and if the
> application re-handshakes (e.g., to authenticate a user) then the result
> is a second security context -- we need to be extra clear that it's the
> client Finished message from the _first_ "security context" that we're
> after.

OooopS.

The session that results from a re-handshake is an entirely new and
independent session from what it started from, it does NOT modify
the state of the original session (as identified by its TLS session ID).

Many SSL protocol stacks, however, will perform the re-negotiation
with the same "context" or API handle -- giving the application caller
impression that the original session is modified.  TLS does _NOT_
have capabilities to modify a session, however.  It will either
resume a cached session as proposed by the client as-is, or it
will go through a full handshake and create a new session
that is entirely independent from previous sessions.

The TLS specs do not describe API semantics, however, only the
network protocol and TLS session state, so your terminology is
IMHO confusing.

> 
> My proposal, then, is this:
> 
> OLD:
> 
>    Description: The client's TLS Finished message (note: the Finished
>    struct) from the first handshake of the connection (note: connection,
>    not session, so that the channel binding is specific to each
>    connection regardless of whether session resumption is used).
> 
> NEW:
> 
>    Description: The client's TLS Finished message (note: the Finished
>    struct) from the first handshake of the application's TLS connection.
> 
>    NOTES:
> 
>    a) If a session is resumed, the client's TLS Finished message from
>       the session resumption handshake is to be used;
> 
>    b) If a client does multiple TLS handshakes in sequence, each
>       protected by the previous one, then the client's TLS Finished
>       message from the first/outermost TLS connection is to be used;
> 
>    c) By "TLS connection" we refer to the TLS connection state, not to
>       any notion of connection of any underlying transport protocols
>       (such as TCP, UDP, SCTP, etcetera).
> 
> I'm not sure that we can make it any clearer.

b) sounds wrong to me.  A renegotiate results in a entirely
new and independent session.

It might be easier to _NOT_ key on the finished message, but on the
master secret instead.

-Martin

Follow-Ups:
- Re: [sasl] [TLS] RESOLVED (Re: lasgt call comments (st Call:
  - From: Nicolas Williams
- Re: [sasl] RESOLVED (Re: lasgt call comments (st Call:
  - From: Simon Josefsson

References:
- [sasl] RESOLVED (Re: lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard))
  - From: Nicolas Williams

Prev by Date: [sasl] RESOLVED (Re: lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard))
Next by Date: Re: [sasl] RESOLVED (Re: lasgt call comments (st Call:
Previous by thread: [sasl] RESOLVED (Re: lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard))
Next by thread: Re: [sasl] RESOLVED (Re: lasgt call comments (st Call:
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.