Re: [TLS] New Problem (Was: Last Call: draft-altman-tls-channel-bindings)

[Larry Zhu <larry.zhu at microsoft.com>]

I think this is good as is. The mentioned issue is in the TLS itself at which layer it knows every well what a TLS connection is so we do not have any confusions related to I mentioned.

Now some comments on the alternative proposals, I would prefer a stable identifier for the channel. If the name of the channel constantly changes when TLS renegotiates, it is a bad taste in the mouth for me.


-----Original Message-----
From: tls-bounces at ietf.org [mailto:tls-bounces at ietf.org] On Behalf Of Nicolas Williams
Sent: Wednesday, November 04, 2009 2:48 PM
To: Larry Zhu
Cc: channel-binding at ietf.org; tls at ietf.org; sasl at ietf.org
Subject: [TLS] New Problem (Was: Last Call: draft-altman-tls-channel-bindings)

On Wed, Nov 04, 2009 at 10:13:46PM +0000, Larry Zhu wrote:
> The proposed looks fine. Thanks,

Thanks.

HOWEVER, Martin's post to the TLS WG list about MITM attacks in
re-negotiations is relevant.

Re-negotiations have no real binding between inner and outer
connections.  Clients can enforce that the server end-point is the same
(has the same certificate, whatever) for both connections: inner and
outer.  Servers can also force the inner connection to change cipher
specs.  But suppose that the outer connection used an TLS_DH_anon_*
cipher suite!  Then there is no binding whatsoever between the inner and
outer connection.  And then we have a real problem for tls-unique.

We need at least a security considerations note about this.  But we
should also consider changing tls-unique to be the client's Finished
message for the _inner-most_ TLS connection, not outer-most.
(Outer-most is OK IFF there's a binding between each channel.)

Comments?

Nico
-- 
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls