Re: [TLS] Proposal for hybrid solution using most of the ideas

To: noskov at microsoft.com (Nasko Oskov)
Subject: Re: [TLS] Proposal for hybrid solution using most of the ideas
From: Martin Rex <mrex at sap.com>
Date: Fri, 20 Nov 2009 02:29:05 +0100 (MET)
Cc: tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <B197003731D4874CA41DE7B446BBA3E829CD41C9 at TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com> from "Nasko Oskov" at Nov 20, 9 00:20:58 am
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Reply-to: mrex at sap.com

Nasko Oskov wrote:
> 
> Yes. The idea is to have an specially defined "empty" certificate that will
> indicate to the client support for the new running hash computation.
> 
> >I think (a) would be a bad idea. Not sure about (b) either, but at least it
> >wouldn't bring a whole new bunch of parties to the table (CA product
> >vendors and service providers) when something quick is what's needed.
> 
> (a) and (b) will be too complex of changes and unnecessary complications.

Somehow it seems that the discussion are diverging more and more.

Personally, I'm OK with what TLS extension RI does at an abstract level.
I just don't like how it is added into the existing protocols because
of the interop issues of TLS extensions with existing usage scenarios.

I'm getting slightly beaten up for "modifying the handshake message
hash algorithm" because it is a change of the protocol and next
I getting slightly beaten up for conveying this protocol change
in through the ProtocolVersion server_version field.

You are now proposing to put something in a list of certificates
that is not a certificate, in a handshake message that is not
sent in some of the handshakes to modify the message hash computation.

Inserting the Finished messages as the first data before ClientHello
into the handshake message hash seems problematic,
because:

  -    it doesn't work for scenarios where the client wants to use
       renegotiation for client identity protection and sends the
       next ClientHello piggy-backed on the ClientFinished message
       of the initial handshake.

  -    it is much more difficult for vendors/suppliers to offer
       a backwards interop for renegotiation for whatever reason,

if the finished messages are inserted directly following the
ServerHello handshake messages, then these two problems don't exist.

I'm going back to work on my I-D now.

-Martin

Follow-Ups:
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: Nasko Oskov

References:
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: Nasko Oskov

Prev by Date: Re: [TLS] Proposal for hybrid solution using most of the ideas
Next by Date: [TLS] Protocol version bit to use, was Justification for "Ugly Dirty Hack"
Previous by thread: Re: [TLS] Proposal for hybrid solution using most of the ideas
Next by thread: Re: [TLS] Proposal for hybrid solution using most of the ideas
Index(es):
- Date
- Thread

Re: [TLS] Proposal for hybrid solution using most of the ideas

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.