Re: [TLS] Proposal for hybrid solution using most of the ideas

To: Stephen Farrell <stephen.farrell at cs.tcd.ie>
Subject: Re: [TLS] Proposal for hybrid solution using most of the ideas
From: Nasko Oskov <noskov at microsoft.com>
Date: Fri, 20 Nov 2009 00:20:58 +0000
Accept-language: en-US
Cc: "tls at ietf.org" <tls at ietf.org>
Deferred-delivery: Fri, 20 Nov 2009 00:21:00 +0000
Delivered-to: tls at core3.amsl.com
In-reply-to: <4B0572BD.5060507 at cs.tcd.ie>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <4B04F92A.8050903 at extendedsubset.com> <C72ABBEB.6712%stefan at aaa-sec.com> <B197003731D4874CA41DE7B446BBA3E829CD2934 at TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com> <4B0572BD.5060507 at cs.tcd.ie>
Thread-index: AQHKaM5JSzUmjMY3F0i7YWorO/+ELpE9Zx+AgAAm5ICAAADiAIAABP+A///5EoCAAJLcgP///O8Q
Thread-topic: [TLS] Proposal for hybrid solution using most of the ideas

Stephen Farrell wrote:
>Nasko Oskov wrote:
>>> Which leaves us with S->C signaling. Here I'm not sure we have exhausted all options.
>> 
>> Yes, we might be missing something else. The reason I picked the 
>> Certificate message is that it is dynamic size by default, so we don't 
>> have to alter existing data, just append.
>
>Sorry, I'm not clear on what's being proposed here. Is it:
>
>a) embed a new flag of some sort in a CA-issued X.509 cert
>b) add an additional server-generated self-signed cert containing
>   a new flag of some sort
>c) something else?

Yes. The idea is to have an specially defined "empty" certificate that will
indicate to the client support for the new running hash computation.

>I think (a) would be a bad idea. Not sure about (b) either, but at least it
>wouldn't bring a whole new bunch of parties to the table (CA product
>vendors and service providers) when something quick is what's needed.

(a) and (b) will be too complex of changes and unnecessary complications.

Nasko

Follow-Ups:
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: Martin Rex

References:
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: Marsh Ray
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: Stefan Santesson
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: Nasko Oskov
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: Stephen Farrell

Prev by Date: [TLS] I-D Action:draft-ietf-tls-renegotiation-00.txt
Next by Date: Re: [TLS] Proposal for hybrid solution using most of the ideas
Previous by thread: Re: [TLS] Proposal for hybrid solution using most of the ideas
Next by thread: Re: [TLS] Proposal for hybrid solution using most of the ideas
Index(es):
- Date
- Thread

Re: [TLS] Proposal for hybrid solution using most of the ideas

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.