Re: [TLS] Implementation survey: Client Certificate URL extension

To: <martin.rex at sap.com>
Subject: Re: [TLS] Implementation survey: Client Certificate URL extension
From: <Pasi.Eronen at nokia.com>
Date: Mon, 7 Apr 2008 10:35:07 +0300
Cc: tls at ietf.org
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <200804041253.m34Crdxq028117 at fs4113.wdf.sap.corp>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <1696498986EFEC4D9153717DA325CB7247EFE3 at vaebe104.NOE.Nokia.com> from "Pasi.Eronen at nokia.com" at Apr 4, 8 11:24:30 am <200804041253.m34Crdxq028117 at fs4113.wdf.sap.corp>
Sender: tls-bounces at ietf.org
Thread-index: AciWUwAVQQUeJB9vTBmkZIhYwJ0XKgCLn6Qg
Thread-topic: [TLS] Implementation survey: Client Certificate URL extension

Martin Rex wrote:
> Pasi.Eronen at nokia.com wrote:
> > 
> > This vulnerability of Client Certificate URL is already described in
> > the Security Considerations text in RFC 4366, so it isn't anything
> > particularly new.
> > 
> > In the context of web browsing over TLS, it isn't really different
> > than, say, the ability to include IMG URLs pointing to arbitrary
> > hosts (not just the one the HTML page came from).
> 
> It is completely different!
> 
> The regular HTTP/HTML based attacks attack the client/browser.
> 
> The certificate extensions and the client-cert-URL extension for TLS
> attack the server, and there is no "must visit a hostile website"
> involved at all, the server is guaranteed to fall prey to every
> attack automatically if it supports/implements such a feature (or
> "inherits" this feature from the underlying middleware).

You're quite right, I wasn't thinking clearly -- this is indeed
quite different, since it targets the server.

Nevertheless, it is described in RFC 4366 already; do you think
there's something more we should add in 4366bis?

Best regards,
Pasi
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Implementation survey: Client Certificate URL extension
  - From: Martin Rex

References:
- Re: [TLS] Implementation survey: Client Certificate URL extension
  - From: Pasi.Eronen
- Re: [TLS] Implementation survey: Client Certificate URL extension
  - From: Martin Rex

Prev by Date: Re: [TLS] Implementation survey: Client Certificate URL extension
Next by Date: Re: [TLS] DTLS 1.2: Call for spec ambiguities
Previous by thread: Re: [TLS] Implementation survey: Client Certificate URL extension
Next by thread: Re: [TLS] Implementation survey: Client Certificate URL extension
Index(es):
- Date
- Thread

Re: [TLS] Implementation survey: Client Certificate URL extension

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.