Re: [TLS] Proposal for hybrid solution using most of the ideas

To: noskov at microsoft.com (Nasko Oskov)
Subject: Re: [TLS] Proposal for hybrid solution using most of the ideas
From: Martin Rex <mrex at sap.com>
Date: Thu, 19 Nov 2009 18:49:02 +0100 (MET)
Cc: tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <B197003731D4874CA41DE7B446BBA3E829CD2934 at TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com> from "Nasko Oskov" at Nov 19, 9 03:45:34 pm
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Reply-to: mrex at sap.com

Nasko Oskov wrote:
> > 
> >I think we agree that an upgraded finished calculation is not a dirty hack.
> >This is what future versions of TLS will use by default.
> 
> Agreed.

So far it is actually an upgraded handshake message hash calculation for
the renegotiation handshake.  TLS extension RI uses two extra layers
of wrapping

ExtendenServerHello(
   TLS-extension-RI(
      previous.Client.Finished.verify_data
      | previousServer.Finished.verify_data
   )
)

where as I'm prefering a more environmentalist approach, adding
the verify_data of the previous Client.Finished and Server.Finished
directly to the handshake message hash without any gift wrapping.

> 
> Yes, we might be missing something else. The reason I picked the Certificate
> message is that it is dynamic size by default, so we don't have to alter
> existing data, just append.

To me that feels very wrong to use the Certificate message.
I'm convinced that it should go into the ServerHello.  I'm not
questioning that ServerHello is the correct place for all of the
cryptographic parameters _and_ the TLS extensions.

The Certificate message is not part of TLS handshakes with
server-anonymous ciphersuites and it is equally missing on
TLS session resume handshakes and I _really_ want to have
the server signal on each and every TLS handshake!

I would not even try to think about justifications why it might
be OK to omit it on some of the handshakes (My intuition says,
this is going to come back at us one way or the other if we did this).

> 
> I realize I could've been more precise in my initial proposal. This is
> exactly the essence of it. Finished calculations are the same across the
> board, just signaling is different. TLS to use extensions, SSLv3 to use
> whatever hack we agree on.

This would add the complexity of the solution and double the
interop testing scenarios.

Why use two signaling mechanism where one is perfectly sufficient?

-Martin

Follow-Ups:
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: Dr Stephen Henson

References:
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: Nasko Oskov

Prev by Date: [TLS] Justification for "Ugly Dirty Hack"
Next by Date: Re: [TLS] Proposal for hybrid solution using most of the ideas
Previous by thread: Re: [TLS] Proposal for hybrid solution using most of the ideas
Next by thread: Re: [TLS] Proposal for hybrid solution using most of the ideas
Index(es):
- Date
- Thread

Re: [TLS] Proposal for hybrid solution using most of the ideas

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.