Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

To: Nicolas Williams <Nicolas.Williams at sun.com>
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
From: Marsh Ray <marsh at extendedsubset.com>
Date: Mon, 09 Nov 2009 22:08:53 -0600
Cc: tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <20091109223417.GK1105 at Sun.COM>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Openpgp: id=1E36DBF2
References: <006FEB08D9C6444AB014105C9AEB133FB36A4EBF03 at il-ex01.ad.checkpoint.com> <200911092152.nA9LqVkW000963 at fs4113.wdf.sap.corp> <20091109223417.GK1105 at Sun.COM>
User-agent: Thunderbird 2.0.0.23 (Windows/20090812)

Nicolas Williams wrote:
> On Mon, Nov 09, 2009 at 10:52:31PM +0100, Martin Rex wrote:
>> I whish there was a constraint that an identity/certificate that has
>> been established for a party during the TLS handshake MUST not change
>> during re-negotiation,

Hmm, few questions about that plan:

Is this currently a defined concept in TLS: equivalence of identity?

Isn't that one of the major uses of renegotiation? To change identity?
That seems to be the entire point of the observed cases of renegotiation
in https. Even if the only case we know of is a transition from an
anonymous identity to a client-certified one, such a new constraint
seems a bit pointless and likely to break someone.

Perhaps you want to allow identities to be "strengthened" but not
"weakened". Is this another new concept in TLS: are identities required
to be partially- or fully-ordered?

It's starting to sound like that question about ciphersuites being
ordered according to strength.

Would that make it illegal to resume a previous session over the same
underlying connection if it could not be proven it was "the same" identity?

What if the session's identity were strengthened? Could you end up in a
situation where a session could be resumed on any of several other
connections except the one on which it originated!

- Marsh

Follow-Ups:
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Nicolas Williams

References:
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Yoav Nir
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Nicolas Williams

Prev by Date: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by Date: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Previous by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Index(es):
- Date
- Thread

Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.