IETF Logo Mail Archive

Re: [TLS] simplistic renego protection

<Pasi.Eronen@nokia.com> Mon, 23 November 2009 11:19 UTC

Return-Path: <Pasi.Eronen@nokia.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9E9733A6A3E for <tls@core3.amsl.com>; Mon, 23 Nov 2009 03:19:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.477
X-Spam-Level:
X-Spam-Status: No, score=-6.477 tagged_above=-999 required=5 tests=[AWL=0.122, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oxfG1ar6EtYA for <tls@core3.amsl.com>; Mon, 23 Nov 2009 03:19:25 -0800 (PST)
Received: from mgw-mx03.nokia.com (smtp.nokia.com [192.100.122.230]) by core3.amsl.com (Postfix) with ESMTP id 72CAC3A6838 for <tls@ietf.org>; Mon, 23 Nov 2009 03:19:25 -0800 (PST)
Received: from esebh106.NOE.Nokia.com (esebh106.ntc.nokia.com [172.21.138.213]) by mgw-mx03.nokia.com (Switch-3.3.3/Switch-3.3.3) with ESMTP id nANBJ2cZ014730; Mon, 23 Nov 2009 13:19:18 +0200
Received: from vaebh102.NOE.Nokia.com ([10.160.244.23]) by esebh106.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 23 Nov 2009 13:19:10 +0200
Received: from smtp.mgd.nokia.com ([65.54.30.7]) by vaebh102.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Mon, 23 Nov 2009 13:19:05 +0200
Received: from NOK-EUMSG-01.mgdnok.nokia.com ([65.54.30.106]) by nok-am1mhub-03.mgdnok.nokia.com ([65.54.30.7]) with mapi; Mon, 23 Nov 2009 12:19:05 +0100
From: Pasi.Eronen@nokia.com
To: mrex@sap.com
Date: Mon, 23 Nov 2009 12:19:03 +0100
Thread-Topic: [TLS] simplistic renego protection
Thread-Index: Acpofjm6I/gVbPolRaWeyeE33uAXNADsGLfA
Message-ID: <808FD6E27AD4884E94820BC333B2DB774F310BB2AB@NOK-EUMSG-01.mgdnok.nokia.com>
References: <4B0421D0.50509@pobox.com> from "Michael D'Errico" at Nov 18, 9 08:33:20 am <200911181837.nAIIbXJu009133@fs4113.wdf.sap.corp>
In-Reply-To: <200911181837.nAIIbXJu009133@fs4113.wdf.sap.corp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 23 Nov 2009 11:19:05.0501 (UTC) FILETIME=[C487CCD0:01CA6C2E]
X-Nokia-AV: Clean
Cc: tls@ietf.org
Subject: Re: [TLS] simplistic renego protection
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2009 11:19:27 -0000

Martin Rex wrote:

> Does anyone remeber that the TLS WG gave the advice to people asking
> for identity protection to perform an initial client-anonymous TLS
> handshake directly followed by a renegotiation with client-cert
> authentication?
> 
> (a related discussion what about gss-api authentication
>  around 20-dec-2006, Subject: [TLS] Comments on TLS identity
> protection)

Yes... and as Eric noted, as long as the 2nd handshake "directly
follows" (=no application data is exchanged using the first session),
this seems to be secure already....

Best regards,
Pasi
(not wearing any hats)

v2.23.0 | Report a Bug | By Email