Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

To: Nicolas Williams <Nicolas.Williams at sun.com>, Marsh Ray <marsh at extendedsubset.com>
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
From: Steve Dispensa <dispensa at phonefactor.com>
Date: Tue, 10 Nov 2009 13:21:46 -0600
Cc: tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <20091110181544.GW1105 at Sun.COM>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Thread-index: AcpiOwr2wV5krGuUk0S+Ovc7Bvw9YQ==
Thread-topic: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
User-agent: Microsoft-Entourage/12.20.0.090605

On 11/10/09 12:15 PM, "Nicolas Williams" <Nicolas.Williams at sun.com> wrote:

> On Tue, Nov 10, 2009 at 12:02:06PM -0600, Marsh Ray wrote:
>> Nicolas Williams wrote:
>>> On Mon, Nov 09, 2009 at 10:08:53PM -0600, Marsh Ray wrote:
>>> 
>>> TLS connections are not so long lived
>> 
>> But there is no defined upper limit.
> 
> True, and indeed, IMAP depends on that.  Are there IMAP/other servers
> the request re-negotiation when a client's cert reaches/nears
> expiration?

Has anyone considered SSL VPN's and/or things like GoToMyPC?

> If so then my assertion that we don't have to worry about key rollover/
> cert expiration would be wrong.  Indeed, it's safer to assume that that
> assertion was wrong as finding out for sure would be hard.

OTOH, we could require that app-level protocols support re-establishment of
the underlying TLS session once crypto state gets stale (in the opinion of
either client or server).

 -Steve

References:
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Nicolas Williams

Prev by Date: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by Date: [TLS] TLSrenego - current summary of semantics and possibilities
Previous by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Index(es):
- Date
- Thread

Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.