Re: [CHANNEL-BINDING] [TLS] [sasl] Updates to draft-altman-tls-channel-bindings, take two (PLEASE REVIEW)

Simon Josefsson <simon@josefsson.org> Tue, 23 March 2010 21:02 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: channel-binding@core3.amsl.com
Delivered-To: channel-binding@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 62BFD3A6891; Tue, 23 Mar 2010 14:02:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.54
X-Spam-Level:
X-Spam-Status: No, score=-0.54 tagged_above=-999 required=5 tests=[AWL=0.929, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5jeXe2nVVBHd; Tue, 23 Mar 2010 14:02:51 -0700 (PDT)
Received: from yxa-v.extundo.com (yxa-v.extundo.com [83.241.177.39]) by core3.amsl.com (Postfix) with ESMTP id 13BBF3A67F9; Tue, 23 Mar 2010 14:02:50 -0700 (PDT)
Received: from mocca (c80-216-24-99.bredband.comhem.se [80.216.24.99]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id o2NL36Vf028655 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 23 Mar 2010 22:03:08 +0100
From: Simon Josefsson <simon@josefsson.org>
To: Nicolas Williams <Nicolas.Williams@sun.com>
References: <20100317231522.GA18167@Sun.COM> <20100322232150.GB21244@Sun.COM> <20100323065301.GE21244@Sun.COM> <20100323190629.GR21244@Sun.COM> <4B17DE30119FF1429798D9F5D94BDE8C0EB563F1@TK5EX14MBXW603.wingroup.windeploy.ntdev.microsoft.com> <20100323195956.GY21244@Sun.COM> <4B17DE30119FF1429798D9F5D94BDE8C0EB5667A@TK5EX14MBXW603.wingroup.windeploy.ntdev.microsoft.com> <87r5napxjn.fsf@mocca.josefsson.org> <20100323205807.GD21244@Sun.COM>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:100323:nicolas.williams@sun.com::dIXqEiFfJvi2V4RP:0ziM
X-Hashcash: 1:22:100323:tls@ietf.org::ygNu1ISy1sqEV5QW:3clH
X-Hashcash: 1:22:100323:sasl@ietf.org::t+yT7a2aNuBxNU1y:C/b6
X-Hashcash: 1:22:100323:mark.novak@microsoft.com::SYpoDOxwD0FQI0xM:AxWo
X-Hashcash: 1:22:100323:larry.zhu@microsoft.com::egfHgf8o+T8Ya/DU:Bbyq
X-Hashcash: 1:22:100323:pasi.eronen@nokia.com::eG2nhrOQcqmLWGKV:tno0
X-Hashcash: 1:22:100323:channel-binding@ietf.org::p1g23/BhPyCyNhx9:0B6qs
Date: Tue, 23 Mar 2010 22:03:06 +0100
In-Reply-To: <20100323205807.GD21244@Sun.COM> (Nicolas Williams's message of "Tue, 23 Mar 2010 15:58:08 -0500")
Message-ID: <87hbo6px85.fsf@mocca.josefsson.org>
User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Virus-Scanned: clamav-milter 0.95.3 at yxa-v
X-Virus-Status: Clean
Cc: Mark Novak <Mark.Novak@microsoft.com>, "channel-binding@ietf.org" <channel-binding@ietf.org>, Pasi Eronen <pasi.eronen@nokia.com>, Larry Zhu <larry.zhu@microsoft.com>, "sasl@ietf.org" <sasl@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [CHANNEL-BINDING] [TLS] [sasl] Updates to draft-altman-tls-channel-bindings, take two (PLEASE REVIEW)
X-BeenThere: channel-binding@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of channel binding IANA registry requests and specifications <channel-binding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/channel-binding>, <mailto:channel-binding-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/channel-binding>
List-Post: <mailto:channel-binding@ietf.org>
List-Help: <mailto:channel-binding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/channel-binding>, <mailto:channel-binding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Mar 2010 21:02:52 -0000

Nicolas Williams <Nicolas.Williams@sun.com> writes:

> On Tue, Mar 23, 2010 at 09:56:12PM +0100, Simon Josefsson wrote:
>> I recall that both OpenSSL and NSS drive TLS renegotiation internally
>> (i.e., TLS apps are not required to do the handshake).  For GnuTLS, it
>> is the apps that drives TLS renegotiation.  Can someone confirm/deny my
>> recollection?  As far as I recall, the reason the TLS renegotiation
>> issue was problematic for OpenSSL/NSS (and not for GnuTLS) was that the
>> former libraries drives renegotiation internally in the library.
>
> But what is the trigger?  Key aging?

A renegotiation request from the peer, as I understood it.

/Simon