Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

To: Marsh Ray <marsh at extendedsubset.com>
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
From: Nicolas Williams <Nicolas.Williams at sun.com>
Date: Tue, 10 Nov 2009 10:46:09 -0600
Cc: tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <4AF8E755.5020208 at extendedsubset.com>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <006FEB08D9C6444AB014105C9AEB133FB36A4EBF03 at il-ex01.ad.checkpoint.com> <200911092152.nA9LqVkW000963 at fs4113.wdf.sap.corp> <20091109223417.GK1105 at Sun.COM> <4AF8E755.5020208 at extendedsubset.com>
User-agent: Mutt/1.5.7i

On Mon, Nov 09, 2009 at 10:08:53PM -0600, Marsh Ray wrote:
> Nicolas Williams wrote:
> > On Mon, Nov 09, 2009 at 10:52:31PM +0100, Martin Rex wrote:
> >> I whish there was a constraint that an identity/certificate that has
> >> been established for a party during the TLS handshake MUST not change
> >> during re-negotiation,
> 
> Hmm, few questions about that plan:
> 
> Is this currently a defined concept in TLS: equivalence of identity?

TLS connections are not so long lived that we should worry about issues
such as, for example, public key rollover or certificate expiration
during a connection's lifetime.  Therefore a simple Certificate octet-
for-octet comparison will do for identity comparison.  Anything more
complicated than that (and anon->non-anon) would make Martin's proposal
too unqieldy to consider at this point, and possibly ever.

> Isn't that one of the major uses of renegotiation? To change identity?

But only from anonymous to non-anonymous, right?  That's also easy to
specify.

> Perhaps you want to allow identities to be "strengthened" but not
> "weakened". Is this another new concept in TLS: are identities required
> to be partially- or fully-ordered?
> 
> It's starting to sound like that question about ciphersuites being
> ordered according to strength.

No, I don't think so.  Ordering cipher suites by strength is a complex
topic that I'd rather avoid for the specific enhancement that Martin
proposes.

> Would that make it illegal to resume a previous session over the same
> underlying connection if it could not be proven it was "the same" identity?

There's no authentication during session resumption handshakes --
there's only proving that both peers remember the relevant state,
including master secret.

> What if the session's identity were strengthened? Could you end up in a
> situation where a session could be resumed on any of several other
> connections except the one on which it originated!

I'm not sure I follow.  See above.

Nico
--

Follow-Ups:
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Marsh Ray

References:
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Yoav Nir
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Nicolas Williams
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Marsh Ray

Prev by Date: Re: [TLS] TLS Renegotiation - Any implications to EAP-TLS ?
Next by Date: Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
Previous by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Index(es):
- Date
- Thread

Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.