Re: [TLS] TLS renegotiation issue

To: Martin Rex <mrex at sap.com>
Subject: Re: [TLS] TLS renegotiation issue
From: Nicolas Williams <Nicolas.Williams at sun.com>
Date: Thu, 5 Nov 2009 18:00:02 -0600
Cc: ekr at rtfm.com, tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <200911052351.nA5Npxai022736 at fs4113.wdf.sap.corp>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <20091105230343.GO1105 at Sun.COM> <200911052351.nA5Npxai022736 at fs4113.wdf.sap.corp>
User-agent: Mutt/1.5.7i

On Fri, Nov 06, 2009 at 12:51:59AM +0100, Martin Rex wrote:
> Nicolas Williams wrote:
> > 
> > On Thu, Nov 05, 2009 at 10:16:11AM -0800, Eric Rescorla wrote:
> > > I now have a draft extension up at:
> > > 
> > > https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt
> > > https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.xml
> > > 
> > > Comments welcome.
> > 
> > More comments:
> > 
> >  - Consider an implementation like Windows' SSPI-based implementation.
> >    Or, for that matter, the old GGF (Global Grid Forum) GSS-API
> >    interface to TLS.
> 
> This strikes me as really odd!

What's odd?

> Btw. does GGF really require renegotiation?  What is so impossible
> about asking for a client cert in the initial TLS handshake?

Did I say that?  No.  Please don't read into what I wrote.

But note that with a GGF GSS-API-based implementation of TLS you _can_
do re-negotiation!  It's simple really.  And it shows that there's no
link between the inner and outer connections (here, security contexts),
except that the outer one protects the inner's hanshake (here, security
context token exchange).  (Well, also, the app needs to know if the
server sent a ChangeCipherSpec message, so that it can switch to using
the inner security context for all subsequent wrap tokens.)

Nico
--

References:
- Re: [TLS] TLS renegotiation issue
  - From: Nicolas Williams
- Re: [TLS] TLS renegotiation issue
  - From: Martin Rex

Prev by Date: Re: [TLS] TLS renegotiation issue
Next by Date: Re: [TLS] TLS renegotiation issue
Previous by thread: Re: [TLS] TLS renegotiation issue
Next by thread: Re: [TLS] TLS renegotiation issue
Index(es):
- Date
- Thread

Re: [TLS] TLS renegotiation issue

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.