[TLS] New Problem (Was: Last Call: draft-altman-tls-channel-bindings)

To: Larry Zhu <larry.zhu at microsoft.com>
Subject: [TLS] New Problem (Was: Last Call: draft-altman-tls-channel-bindings)
From: Nicolas Williams <Nicolas.Williams at sun.com>
Date: Wed, 4 Nov 2009 16:47:42 -0600
Cc: "channel-binding at ietf.org" <channel-binding at ietf.org>, "tls at ietf.org" <tls at ietf.org>, "sasl at ietf.org" <sasl at ietf.org>
Delivered-to: tls at core3.amsl.com
In-reply-to: <D3DC9D45B39CFC4CB312B2DD279B354C29BBA0B3 at TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <20091005162704.8C1B43A6873 at core3.amsl.com> <D3DC9D45B39CFC4CB312B2DD279B354C29BADFF7 at TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com> <20091030223647.GO1105 at Sun.COM> <D3DC9D45B39CFC4CB312B2DD279B354C29BBA0B3 at TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com>
User-agent: Mutt/1.5.7i

On Wed, Nov 04, 2009 at 10:13:46PM +0000, Larry Zhu wrote:
> The proposed looks fine. Thanks,

Thanks.

HOWEVER, Martin's post to the TLS WG list about MITM attacks in
re-negotiations is relevant.

Re-negotiations have no real binding between inner and outer
connections.  Clients can enforce that the server end-point is the same
(has the same certificate, whatever) for both connections: inner and
outer.  Servers can also force the inner connection to change cipher
specs.  But suppose that the outer connection used an TLS_DH_anon_*
cipher suite!  Then there is no binding whatsoever between the inner and
outer connection.  And then we have a real problem for tls-unique.

We need at least a security considerations note about this.  But we
should also consider changing tls-unique to be the client's Finished
message for the _inner-most_ TLS connection, not outer-most.
(Outer-most is OK IFF there's a binding between each channel.)

Comments?

Nico
--

Follow-Ups:
- Re: [TLS] New Problem (Was: Last Call: draft-altman-tls-channel-bindings)
  - From: Larry Zhu

References:
- [TLS] Last Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard
  - From: The IESG
- [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard))
  - From: Nicolas Williams
- Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard))
  - From: Larry Zhu

Prev by Date: Re: [TLS] Interest in taking draft-seggelmann-tls-dtls-heartbeat-01 as a working group item
Next by Date: Re: [TLS] New Problem (Was: Last Call: draft-altman-tls-channel-bindings)
Previous by thread: Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard))
Next by thread: Re: [TLS] New Problem (Was: Last Call: draft-altman-tls-channel-bindings)
Index(es):
- Date
- Thread

[TLS] New Problem (Was: Last Call: draft-altman-tls-channel-bindings)

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.