[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[sasl] New Problem (Was: Last Call: draft-altman-tls-channel-bindings)

From: Nicolas Williams <Nicolas.Williams at sun.com>
To: Larry Zhu <larry.zhu at microsoft.com>
Cc: "channel-binding at ietf.org" <channel-binding at ietf.org>, "tls at ietf.org" <tls at ietf.org>, "sasl at ietf.org" <sasl at ietf.org>
Date: Wed, 4 Nov 2009 16:47:42 -0600
In-reply-to: <D3DC9D45B39CFC4CB312B2DD279B354C29BBA0B3 at TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com>
References: <20091005162704.8C1B43A6873 at core3.amsl.com> <D3DC9D45B39CFC4CB312B2DD279B354C29BADFF7 at TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com> <20091030223647.GO1105 at Sun.COM> <D3DC9D45B39CFC4CB312B2DD279B354C29BBA0B3 at TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com>

On Wed, Nov 04, 2009 at 10:13:46PM +0000, Larry Zhu wrote:
> The proposed looks fine. Thanks,

Thanks.

HOWEVER, Martin's post to the TLS WG list about MITM attacks in
re-negotiations is relevant.

Re-negotiations have no real binding between inner and outer
connections.  Clients can enforce that the server end-point is the same
(has the same certificate, whatever) for both connections: inner and
outer.  Servers can also force the inner connection to change cipher
specs.  But suppose that the outer connection used an TLS_DH_anon_*
cipher suite!  Then there is no binding whatsoever between the inner and
outer connection.  And then we have a real problem for tls-unique.

We need at least a security considerations note about this.  But we
should also consider changing tls-unique to be the client's Finished
message for the _inner-most_ TLS connection, not outer-most.
(Outer-most is OK IFF there's a binding between each channel.)

Comments?

Nico
--

Follow-Ups:
- Re: [sasl] [TLS] New Problem (Was: Last Call: draft-altman-tls-channel-bindings)
  - From: Larry Zhu

References:
- [sasl] Last Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard
  - From: The IESG
- [sasl] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)
  - From: Larry Zhu
- [sasl] RESOLVED (Re: lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard))
  - From: Nicolas Williams
- Re: [sasl] [TLS] RESOLVED (Re: lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard))
  - From: Larry Zhu

Prev by Date: Re: [sasl] [TLS] RESOLVED (Re: lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard))
Next by Date: Re: [sasl] [TLS] New Problem (Was: Last Call: draft-altman-tls-channel-bindings)
Previous by thread: Re: [sasl] [TLS] RESOLVED (Re: lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard))
Next by thread: Re: [sasl] [TLS] New Problem (Was: Last Call: draft-altman-tls-channel-bindings)
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.