[TLS] Unrelated (Re: [CHANNEL-BINDING] RESOLVED (Re: [sasl] lasgt call comments (st Call:)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[TLS] Unrelated (Re: [CHANNEL-BINDING] RESOLVED (Re: [sasl] lasgt call comments (st Call:)

To: mrex at sap.com
Subject: [TLS] Unrelated (Re: [CHANNEL-BINDING] RESOLVED (Re: [sasl] lasgt call comments (st Call:)
From: Nicolas Williams <Nicolas.Williams at sun.com>
Date: Tue, 3 Nov 2009 16:20:45 -0600
Cc: channel-binding at ietf.org, tls at ietf.org, sasl at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <200911031243.nA3ChGLw017926 at fs4113.wdf.sap.corp>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <E1N5FLb-0003cr-Qk at wintermute01.cs.auckland.ac.nz> <200911031243.nA3ChGLw017926 at fs4113.wdf.sap.corp>
User-agent: Mutt/1.5.7i

On Tue, Nov 03, 2009 at 01:43:16PM +0100, Martin Rex wrote:
> Peter Gutmann wrote:
> > Martin Rex <Martin.Rex at sap.com> writes:
> > >Microsoft's implementation (which could be the one referred to by
> > >Larry's implementation) has a silly design flaw in its TLS renogiation,
> > >and I'm not sure that the previous text is a way to fix it.
> > >
> > >It is possible to configure Microsoft IIS in a fashion so that it
> > >will first perform a TLS handshake with a server-only authentication,
> > >and after having received the HTTP request, it will re-negotiate and
> > >ask for a client certificate.
> > 
> 
> I was refering to a design flaw in server-side session caching of
> Microsoft IIS (the Server) when it is configured to perform renegotiation
> in order to obtain a client certificate after having seen and evaluated
> the request.

Why is that a problem?  The request will have named a document, but if
you're using confidentiality protection then so what?  The client knows
the document name, and so does the server.  Authorization _correctly_
happens when the access request is made.  That the necessary user
authentication step is delayed until authorization is needed doesn't
strike me as a problem -- it's a feature.

After all some documents may have anonymous access, and some may
require user authentication.  If the server requested user
authentication prior to knowing what document the client wants to
access, then it will force an ugly interaction on users that only want
to access documents that require no user authentication.

Nico
--

Follow-Ups:
- Re: [TLS] Unrelated (Re: [CHANNEL-BINDING] RESOLVED (Re: [sasl] lasgt call comments (st Call:)
  - From: Martin Rex

References:
- Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:
  - From: Peter Gutmann
- Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:
  - From: Martin Rex

Prev by Date: Re: [TLS] [CHANNEL-BINDING] RESOLVED (Re: [sasl] lasgt call comments (st Call:
Next by Date: Re: [TLS] [CHANNEL-BINDING] RESOLVED (Re: [sasl] lasgt call comments (st Call:
Previous by thread: Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:
Next by thread: Re: [TLS] Unrelated (Re: [CHANNEL-BINDING] RESOLVED (Re: [sasl] lasgt call comments (st Call:)
Index(es):
- Date
- Thread

[TLS] Unrelated (Re: [CHANNEL-BINDING] RESOLVED (Re: [sasl] lasgt call comments (st Call:)

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.