Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:

To: mrex at sap.com
Subject: Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:
From: Peter Gutmann <pgut001 at cs.auckland.ac.nz>
Date: Tue, 03 Nov 2009 22:06:39 +1300
Cc: channel-binding at ietf.org, tls at ietf.org, sasl at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <200911021648.nA2Gmida005474 at fs4113.wdf.sap.corp>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Sender: pgut001 <pgut001 at wintermute01.cs.auckland.ac.nz>

Martin Rex <Martin.Rex at sap.com> writes:

>Microsoft's implementation (which could be the one referred to by
>Larry's implementation) has a silly design flaw in its TLS renogiation,
>and I'm not sure that the previous text is a way to fix it.
>
>It is possible to configure Microsoft IIS in a fashion so that it
>will first perform a TLS handshake with a server-only authentication,
>and after having received the HTTP request, it will re-negotiate and
>ask for a client certificate.

It's not necessarily a design flaw, AFAIK it's a performance optimisation to 
avoid the server having to maintain state/leave a connection open for an 
arbitrary amount of time while the user fumbles around with smart cards and 
certificates and whatnot.

Peter.

Follow-Ups:
- Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:
  - From: Martin Rex

References:
- Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:
  - From: Martin Rex

Prev by Date: Re: [TLS] Server Signature Algorithms
Next by Date: Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:
Previous by thread: Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:
Next by thread: Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:
Index(es):
- Date
- Thread

Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.