[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [sasl] [TLS] RESOLVED (Re: lasgt call comments (st Call:

From: Peter Gutmann <pgut001 at cs.auckland.ac.nz>
To: mrex at sap.com
Cc: channel-binding at ietf.org, tls at ietf.org, sasl at ietf.org
Date: Tue, 03 Nov 2009 22:06:39 +1300
In-reply-to: <200911021648.nA2Gmida005474 at fs4113.wdf.sap.corp>

Martin Rex <Martin.Rex at sap.com> writes:

>Microsoft's implementation (which could be the one referred to by
>Larry's implementation) has a silly design flaw in its TLS renogiation,
>and I'm not sure that the previous text is a way to fix it.
>
>It is possible to configure Microsoft IIS in a fashion so that it
>will first perform a TLS handshake with a server-only authentication,
>and after having received the HTTP request, it will re-negotiate and
>ask for a client certificate.

It's not necessarily a design flaw, AFAIK it's a performance optimisation to 
avoid the server having to maintain state/leave a connection open for an 
arbitrary amount of time while the user fumbles around with smart cards and 
certificates and whatnot.

Peter.

Follow-Ups:
- Re: [sasl] [TLS] RESOLVED (Re: lasgt call comments (st Call:
  - From: Martin Rex

References:
- Re: [sasl] [TLS] RESOLVED (Re: lasgt call comments (st Call:
  - From: Martin Rex

Prev by Date: Re: [sasl] [TLS] RESOLVED (Re: lasgt call comments (st Call:
Next by Date: Re: [sasl] [TLS] RESOLVED (Re: lasgt call comments (st Call:
Previous by thread: Re: [sasl] [TLS] RESOLVED (Re: lasgt call comments (st Call:
Next by thread: Re: [sasl] [TLS] RESOLVED (Re: lasgt call comments (st Call:
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.