Re: [TLS] TLS document status update

To: Mike <mike-list at pobox.com>
Subject: Re: [TLS] TLS document status update
From: Nikos Mavrogiannopoulos <nmav at gnutls.org>
Date: Tue, 29 Apr 2008 23:11:55 +0300
Cc: tls at ietf.org
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:x-enigmail-version:content-type:content-transfer-encoding:sender; bh=9JNGPhGW3PUm50ol+2EH044kguOkSkd8awSBkUQefPE=; b=D7y4pidOrgHkDJ7qZHgt7KxE/OWh+MxL0fbX+XeDBpjEZPh+bx/te+Df9noq43aWF3C0kixo6wrj358JyUVE+/eRnftDyJPyEZMAt4vTk88mb6ciPV2u1EOh4Y+OxXgGLJWdDDc9mWqk64pB6Rxj26LVKAX808EeFcvhQ7CpYmU=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:x-enigmail-version:content-type:content-transfer-encoding:sender; b=lUdRdxiR2kiuV9ro+TTZZnQY8V1jd+VdjVNvsBsE2OwRg9mkV/YeegJR4IAQCTHv2qw3D8DGHMYnSZyhkaP88LUgXkKD8PQifkOcXhckb60IV5juEaHKhAPX8Ky5TG08qaJIpEK3ROaw2Hg4WXu83iD2oN0/J/OBJKc5sdf1BK0=
In-reply-to: <48174BB8.7080009@pobox.com>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <1696498986EFEC4D9153717DA325CB727BC503@vaebe104.NOE.Nokia.com> <48173B41.5000401@bolyard.com> <20080429152618.B25AD5081A@romeo.rtfm.com> <48174BB8.7080009@pobox.com>
Sender: tls-bounces at ietf.org
User-agent: Thunderbird 2.0.0.12 (X11/20080227)

Mike wrote:

>>> White-listing of hosts from which the server is willing to fetch those
>>> client cert URLs effectively solves the other problems without
>>> necessitating any mandatory hashes.
>> No, it doen't solve the substitution attack.
> 
> But how could the substitution attack even succeed?  You would need
> to create a valid CA signature on the replacement certificate, which
> should not be possible.

The fact that you cannot present an attack doesn't mean there is no
attack, or that a combination of such weaknesses might be exploitable.
The TLS handshake finished message hashes protect the certificate by
including it. If the certificate is not exchanged during the handshake
then this protection is no longer available.

So:
1. If this protection is not really required, then it can also be
removed it from the original TLS handshake.

2. If this protection is required, then it should be present in the
abbreviated handshake with the certificate URL (in the form of
certificate hash), so equivalent security is offered by equivalent
ciphersuites.

regards,
Nikos
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

References:
- [TLS] TLS document status update
  - From: Pasi.Eronen
- Re: [TLS] TLS document status update
  - From: Nelson B Bolyard
- Re: [TLS] TLS document status update
  - From: Eric Rescorla
- Re: [TLS] TLS document status update
  - From: Mike

Prev by Date: Re: [TLS] TLS document status update
Next by Date: Re: [TLS] TLS document status update
Previous by thread: Re: [TLS] TLS document status update
Next by thread: Re: [TLS] TLS document status update
Index(es):
- Date
- Thread

Re: [TLS] TLS document status update

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.