Re: [TLS] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)

To: Nicolas Williams <Nicolas.Williams at sun.com>
Subject: Re: [TLS] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)
From: Simon Josefsson <simon at josefsson.org>
Date: Wed, 04 Nov 2009 20:26:30 +0100
Cc: channel-binding at ietf.org, tls at ietf.org, sasl at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <20091104181257.GY1105 at Sun.COM> (Nicolas Williams's message of "Wed, 4 Nov 2009 12:12:58 -0600")
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Openpgp: id=B565716F; url=http://josefsson.org/key.txt
References: <20091005162704.8C1B43A6873 at core3.amsl.com> <D3DC9D45B39CFC4CB312B2DD279B354C29BAE0E5 at TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com> <87ocnrpq0f.fsf at mocca.josefsson.org> <87hbtjppfa.fsf at mocca.josefsson.org> <808FD6E27AD4884E94820BC333B2DB774E7F7C5641 at NOK-EUMSG-01.mgdnok.nokia.com> <87bpjico8b.fsf at mocca.josefsson.org> <20091104181257.GY1105 at Sun.COM>
User-agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux)

Nicolas Williams <Nicolas.Williams at sun.com> writes:

> On Wed, Nov 04, 2009 at 04:18:44PM +0100, Simon Josefsson wrote:
>> <Pasi.Eronen at nokia.com> writes:
>> 
>> > Can you check if the latest text proposals (Nico's email on 
>> > October 30th, starting "I spoke at length with Larry", and 
>> > my email earlier today) make the situation clearer?
>> 
>> I have the same question as Martin Rex: what is the actual semantic that
>> is wanted?  I thought I understood what was intended, but given this
>> discussion my understanding of what was intended may have been wrong.
>
> The desired semantic is that tls-unique channel bindings are a channel
> binding in the RFC5056 sense, for a "TLS channel", with this particular
> feature (from the I-D):
>
>    o  Channel binding type: unique
>
> (which RFC5056 defines).
>
> Was this not utterly clear already?  How could it not have been?
>
> The only possible point of contention from the above description is just
> what a "TLS channel" might be.  And the only reasons for that are:
>
>  - RFC5246 and predecessors don't define a name for what we've been
>    calling a "TLS connection";
>
>  - Session resumption might cause someone to be confused and think that
>    tls-unique refers to the client's Finished message from the resumed
>    session;
>
>  - Re-negotiation might cause someone to be confused and think that
>    tls-unique refers to the client's Finished message from the
>    re-negotiated "TLS connection".
>
> Let's dispose of these for once and for all:
>
>  - We shall use "TLS connection" to refer to the TLS state created by an
>    exchange beginning with a Client Hello message, followed by a TLS
>    handshake sequence (which involves a ServerHello, a variety of
>    optional messages such as Certificate, and ends in an optional
>    ChangeCipherSpec message exchange) followed by an exchange of
>    Finished messages.
>
>  - Session resumption establishes new state as per the previous
>    definition of "TLS connection", therefore it establishes a new "TLS
>    connection", even though session resumption does NOT establish a new
>    session.  Therefore, the tls-unique channel binding for a "TLS
>    connection" that resumes a session, MUST be the client's Finished
>    message from the new connection, not the old session.
>
>  - Re-negotiation consists of initiating a new "TLS connection" while
>    using another "TLS connection" record layer for integrity (and
>    usually also confidentiality) protection of the re-negotiation.
>
>    As such re-negotiation creates a new "TLS connection".  In this case
>    want the tls-unique channel binding to be used by the application to
>    be that of the first "TLS connection", that is, the one whose
>    ClientHello and handshake were not protected by any other "TLS
>    connection".
>
>    (It follows that even if the client does N re-negotiations, where N >
>    2, we still want the application to use the tls-unique channel
>    binding of the first "TLS connection", the one whose handshake was
>    not protected by any other "TLS connection".)
>
> Therefore a "TLS channel" is really: a "TLS connection", as defined
> above, whose handshake was not protected by any other "TLS connection".
>
> This is a significantly more rigorous description than the ones we've
> discussed so far.  Do you agree that it's air-tight?  Should I propose
> new text that adds the above definitions of "TLS connection" and "TLS
> channel"?  I think I should, so I will, shortly.

With that definition, one couldn't use tls-unique channel binding to
bind to the authentication credentials associated with a TLS channel
uniquely -- a TLS re-negotiation doesn't change the channel binding
data, but it may change the authentication credentials.

I believe that problem needs to be explained in the security
consideration -- it would be easy to think that channel binding data can
be used to get a cryptographic association with the user credentials
used for that channel.

Otherwise I don't see any problem with this definition.

/Simon

Follow-Ups:
- Re: [TLS] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)
  - From: Nicolas Williams

References:
- [TLS] Last Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard
  - From: The IESG
- Re: [TLS] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)
  - From: Larry Zhu
- Re: [TLS] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)
  - From: Simon Josefsson
- Re: [TLS] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)
  - From: Simon Josefsson
- Re: [TLS] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)
  - From: Pasi.Eronen
- Re: [TLS] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)
  - From: Simon Josefsson
- Re: [TLS] [sasl] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)
  - From: Nicolas Williams

Prev by Date: Re: [TLS] [CHANNEL-BINDING] RESOLVED (Re: [sasl] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard))
Next by Date: Re: [TLS] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)
Previous by thread: Re: [TLS] [sasl] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)
Next by thread: Re: [TLS] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)
Index(es):
- Date
- Thread

Re: [TLS] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.