Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

To: Martin Rex <mrex at sap.com>
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
From: Nicolas Williams <Nicolas.Williams at sun.com>
Date: Mon, 9 Nov 2009 16:34:18 -0600
Cc: tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <200911092152.nA9LqVkW000963 at fs4113.wdf.sap.corp>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <006FEB08D9C6444AB014105C9AEB133FB36A4EBF03 at il-ex01.ad.checkpoint.com> <200911092152.nA9LqVkW000963 at fs4113.wdf.sap.corp>
User-agent: Mutt/1.5.7i

On Mon, Nov 09, 2009 at 10:52:31PM +0100, Martin Rex wrote:
> I whish there was a constraint that an identity/certificate that has
> been established for a party during the TLS handshake MUST not change
> during re-negotiation, but _none_ of the current SSL&TLS specs has
> such a constraint, so the issue of identity change is currently
> dumped as a responsibility onto the application.
> 
> I am certainly in favour of locking this down for the renegotiation.
> I believe it is irresponsible to leave this un(der)specified as it is.

+1

This is the right time to add such a constraint.

I wouldn't be surprised if there are clients (for IMAP? LDAP?) that take
advantage of this to allow the user to switch "hats" without
reconnecting though.

> As previously described in another message, the current spec has a
> requirement that additonal application data may be arbitrarily
> interleaved with a renegotiation handshake.  I think this requirement
> makes a security assessment of the protocol impossible for changing
> identities.

Or at least really difficult.

> Personally, I would it find much cleaner if the semantics for the
> renegotiation would require the TLS peers to suspend transmission
> of application data while performing TLS renegotiation,
> i.e.

+1

This is the right time to add such a constraint.

Unlike a "authenticated identities can't change" constraint, this could
be implemented without conceivable app protocols being broken, I think,
but it may require API changes for some implementations, and that it may
put this change out of reach.

Nico
--

Follow-Ups:
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Marsh Ray

References:
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Yoav Nir
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Martin Rex

Prev by Date: Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
Next by Date: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Previous by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Index(es):
- Date
- Thread

Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.