Re: [CHANNEL-BINDING] [TLS] [sasl] Updates to draft-altman-tls-channel-bindings, take two (PLEASE REVIEW)
Nicolas Williams <Nicolas.Williams@sun.com> Tue, 23 March 2010 20:01 UTC
Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: channel-binding@core3.amsl.com
Delivered-To: channel-binding@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5DEAF3A688F; Tue, 23 Mar 2010 13:01:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.175
X-Spam-Level:
X-Spam-Status: No, score=-3.175 tagged_above=-999 required=5 tests=[AWL=0.804, BAYES_05=-1.11, DNS_FROM_OPENWHOIS=1.13, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EzK93HL3ZQej; Tue, 23 Mar 2010 13:01:45 -0700 (PDT)
Received: from rcsinet11.oracle.com (rcsinet11.oracle.com [148.87.113.123]) by core3.amsl.com (Postfix) with ESMTP id 5AD2D3A659A; Tue, 23 Mar 2010 13:01:39 -0700 (PDT)
Received: from rcsinet13.oracle.com (rcsinet13.oracle.com [148.87.113.125]) by rcsinet11.oracle.com (Switch-3.4.2/Switch-3.4.2) with ESMTP id o2NK1ppX011433 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 23 Mar 2010 20:01:57 GMT
Received: from acsmt353.oracle.com (acsmt353.oracle.com [141.146.40.153]) by rcsinet13.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id o2NF0YTk011274; Tue, 23 Mar 2010 20:01:50 GMT
Received: from abhmt013.oracle.com by acsmt355.oracle.com with ESMTP id 104646151269374401; Tue, 23 Mar 2010 13:00:01 -0700
Received: from Sun.COM (/129.153.128.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 23 Mar 2010 13:00:00 -0700
Date: Tue, 23 Mar 2010 14:59:56 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Larry Zhu <larry.zhu@microsoft.com>
Message-ID: <20100323195956.GY21244@Sun.COM>
References: <20100317231522.GA18167@Sun.COM> <20100322232150.GB21244@Sun.COM> <20100323065301.GE21244@Sun.COM> <20100323190629.GR21244@Sun.COM> <4B17DE30119FF1429798D9F5D94BDE8C0EB563F1@TK5EX14MBXW603.wingroup.windeploy.ntdev.microsoft.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <4B17DE30119FF1429798D9F5D94BDE8C0EB563F1@TK5EX14MBXW603.wingroup.windeploy.ntdev.microsoft.com>
User-Agent: Mutt/1.5.20 (2010-03-02)
X-Source-IP: acsmt353.oracle.com [141.146.40.153]
X-Auth-Type: Internal IP
X-CT-RefId: str=0001.0A090208.4BA91E2F.0117,ss=1,fgs=0
Cc: Mark Novak <Mark.Novak@microsoft.com>, "channel-binding@ietf.org" <channel-binding@ietf.org>, Pasi Eronen <pasi.eronen@nokia.com>, "tls@ietf.org" <tls@ietf.org>, "sasl@ietf.org" <sasl@ietf.org>
Subject: Re: [CHANNEL-BINDING] [TLS] [sasl] Updates to draft-altman-tls-channel-bindings, take two (PLEASE REVIEW)
X-BeenThere: channel-binding@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of channel binding IANA registry requests and specifications <channel-binding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/channel-binding>, <mailto:channel-binding-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/channel-binding>
List-Post: <mailto:channel-binding@ietf.org>
List-Help: <mailto:channel-binding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/channel-binding>, <mailto:channel-binding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Mar 2010 20:01:46 -0000
On Tue, Mar 23, 2010 at 07:56:19PM +0000, Larry Zhu wrote: > > It occurs to me that it must be very unlikely that any apps using the > > MSFT variant of tls-unique are doing authentication after TLS > > re-negotiation. > > Should we instead say that the receiver/verifier of the tls-unique > binding is encouraged to remember the previous finished structure > before re-negotiation. If the synchronization is more than 2 finished > messages apart, the auth request is expected to fail. What's the motivation? Is it really that hard to keep the initial CB around? It is tiny... > This way we have a solution when the actual need arises, without > complicating either the interface or the protocol. Hopefully the > burden to implementation is minimal as well. Is that reasonable? Ah, I think I understand. In your API it's the application's burden to remember the CB from the initial handshake. But even so, that does not seem like such a tough burden. Your proposal is more reasonable than the earlier one for the simple reason that we'll never see three handshakes prior to authentication, and accepting the possibility of spurious authentication failures in such cases, if they happened, would be OK with me. Nico --
- [CHANNEL-BINDING] Updates to draft-altman-tls-cha… Nicolas Williams
- Re: [CHANNEL-BINDING] [sasl] Updates to draft-alt… Pasi.Eronen
- Re: [CHANNEL-BINDING] [sasl] Updates to draft-alt… Dave Cridland
- Re: [CHANNEL-BINDING] [sasl] Updates to draft-alt… Simon Josefsson
- Re: [CHANNEL-BINDING] [sasl] Updates to draft-alt… Nicolas Williams
- Re: [CHANNEL-BINDING] [sasl] Updates to draft-alt… Larry Zhu
- Re: [CHANNEL-BINDING] [sasl] Updates to draft-alt… Nicolas Williams
- Re: [CHANNEL-BINDING] [sasl] Updates to draft-alt… Alexey Melnikov
- Re: [CHANNEL-BINDING] [sasl] Updates to draft-alt… Nicolas Williams
- Re: [CHANNEL-BINDING] [sasl] Updates to draft-alt… Alexey Melnikov
- Re: [CHANNEL-BINDING] [sasl] Updates to draft-alt… Nicolas Williams
- Re: [CHANNEL-BINDING] [sasl] Updates to draft-alt… Simon Josefsson
- Re: [CHANNEL-BINDING] Updates to draft-altman-tls… Simon Josefsson
- Re: [CHANNEL-BINDING] Updates to draft-altman-tls… Nicolas Williams
- Re: [CHANNEL-BINDING] [TLS] Updates to Martin Rex
- [CHANNEL-BINDING] Updates to draft-altman-tls-cha… Nicolas Williams
- Re: [CHANNEL-BINDING] Updates to draft-altman-tls… Alexey Melnikov
- Re: [CHANNEL-BINDING] [sasl] Updates to draft-alt… Nicolas Williams
- Re: [CHANNEL-BINDING] [sasl] Updates to draft-alt… Nicolas Williams
- Re: [CHANNEL-BINDING] [TLS] [sasl] Updates to dra… Larry Zhu
- Re: [CHANNEL-BINDING] [TLS] [sasl] Updates to dra… Nicolas Williams
- Re: [CHANNEL-BINDING] [TLS] [sasl] Updates to dra… Nicolas Williams
- Re: [CHANNEL-BINDING] [TLS] [sasl] Updates to dra… Larry Zhu
- Re: [CHANNEL-BINDING] [TLS] [sasl] Updates to dra… Simon Josefsson
- Re: [CHANNEL-BINDING] [TLS] [sasl] Updates to dra… Nicolas Williams
- Re: [CHANNEL-BINDING] [TLS] [sasl] Updates to dra… Nicolas Williams
- Re: [CHANNEL-BINDING] [TLS] [sasl] Updates to dra… Simon Josefsson
- Re: [CHANNEL-BINDING] [TLS] [sasl] Updates to dra… Larry Zhu
- Re: [CHANNEL-BINDING] [TLS] [sasl] Updates to dra… Nicolas Williams
- Re: [CHANNEL-BINDING] [TLS] [sasl] Updates to Martin Rex
- Re: [CHANNEL-BINDING] [TLS] [sasl] Updates to Simon Josefsson
- Re: [CHANNEL-BINDING] [sasl] Updates to draft-alt… Nicolas Williams
- Re: [CHANNEL-BINDING] [TLS] [sasl] Updates to Martin Rex
- Re: [CHANNEL-BINDING] [TLS] [sasl] Updates to Larry Zhu
- [CHANNEL-BINDING] Avoiding CB sync problem via se… Nicolas Williams
- Re: [CHANNEL-BINDING] [sasl] Updates to draft-alt… Eliot Lear
- Re: [CHANNEL-BINDING] [sasl] Updates to draft-alt… Nicolas Williams
- Re: [CHANNEL-BINDING] [sasl] Updates to draft-alt… Sean Turner