Re: [TLS] [CHANNEL-BINDING] New Problem (Was: Last Call: draft-altman-tls-channel-bindings)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] [CHANNEL-BINDING] New Problem (Was: Last Call: draft-altman-tls-channel-bindings)

To: Larry Zhu <larry.zhu at microsoft.com>
Subject: Re: [TLS] [CHANNEL-BINDING] New Problem (Was: Last Call: draft-altman-tls-channel-bindings)
From: Nicolas Williams <Nicolas.Williams at sun.com>
Date: Wed, 4 Nov 2009 18:14:47 -0600
Cc: "channel-binding at ietf.org" <channel-binding at ietf.org>, "tls at ietf.org" <tls at ietf.org>, "sasl at ietf.org" <sasl at ietf.org>
Delivered-to: tls at core3.amsl.com
In-reply-to: <D3DC9D45B39CFC4CB312B2DD279B354C29BBA4A1 at TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <20091005162704.8C1B43A6873 at core3.amsl.com> <D3DC9D45B39CFC4CB312B2DD279B354C29BADFF7 at TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com> <20091030223647.GO1105 at Sun.COM> <D3DC9D45B39CFC4CB312B2DD279B354C29BBA0B3 at TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com> <20091104224741.GM1105 at Sun.COM> <D3DC9D45B39CFC4CB312B2DD279B354C29BBA4A1 at TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com>
User-agent: Mutt/1.5.7i

On Thu, Nov 05, 2009 at 12:03:41AM +0000, Larry Zhu wrote:
> I think this is good as is. The mentioned issue is in the TLS itself
> at which layer it knows every well what a TLS connection is so we do
> not have any confusions related to I mentioned.

I'm inclined to agree.  In fact, changing tls-unique would have zero
effect in an HTTPS context if authentication would likely be happening
before the server requests a re-negotiation, and if it happens after
re-negotiation then it's too late no matter what.

Therefore I see that we don't need to change tls-unique at all.

> Now some comments on the alternative proposals, I would prefer a
> stable identifier for the channel. If the name of the channel
> constantly changes when TLS renegotiates, it is a bad taste in the
> mouth for me.

tls-server-end-point channel bindings are that.  tls-unique is a unique
type of CB, which means it must be different every time.

We can't have any sort of non-unique channel binding for anonymous-
anonymous channels.  We can have them for anonymous-pseudonymous
channels, but we can't create those from where we stand.

Nico
--

References:
- [TLS] Last Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard
  - From: The IESG
- [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard))
  - From: Nicolas Williams
- Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard))
  - From: Larry Zhu
- [TLS] New Problem (Was: Last Call: draft-altman-tls-channel-bindings)
  - From: Nicolas Williams
- Re: [TLS] New Problem (Was: Last Call: draft-altman-tls-channel-bindings)
  - From: Larry Zhu

Prev by Date: Re: [TLS] New Problem (Was: Last Call: draft-altman-tls-channel-bindings)
Next by Date: [TLS] TLS renegotiation issue
Previous by thread: Re: [TLS] New Problem (Was: Last Call: draft-altman-tls-channel-bindings)
Next by thread: [TLS] New draft: draft-solinas-tls-additional-prf-input-00.txt
Index(es):
- Date
- Thread

Re: [TLS] [CHANNEL-BINDING] New Problem (Was: Last Call: draft-altman-tls-channel-bindings)

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.