Re: [TLS] comment on draft-kinnear-tls-client-net-address
Hubert Kario <hkario@redhat.com> Wed, 27 March 2019 14:07 UTC
Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4775912000F for <tls@ietfa.amsl.com>; Wed, 27 Mar 2019 07:07:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sgu-HT1V_EXX for <tls@ietfa.amsl.com>; Wed, 27 Mar 2019 07:07:49 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B1F0120004 for <tls@ietf.org>; Wed, 27 Mar 2019 07:07:49 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2A6417D7BB; Wed, 27 Mar 2019 14:07:49 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (ovpn-200-35.brq.redhat.com [10.40.200.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6CB1E60F9B; Wed, 27 Mar 2019 14:07:48 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: tls@ietf.org
Date: Wed, 27 Mar 2019 15:07:47 +0100
Message-ID: <2011554.398gSTFCmX@pintsize.usersys.redhat.com>
In-Reply-To: <22d6eb96-4cff-4d0c-a6ee-630db2478383@www.fastmail.com>
References: <1635428.JdYyXqVr20@pintsize.usersys.redhat.com> <1926037.HuMTMFzkit@pintsize.usersys.redhat.com> <22d6eb96-4cff-4d0c-a6ee-630db2478383@www.fastmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart1634516.kQBhW8Pbnf"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Wed, 27 Mar 2019 14:07:49 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/-8B_YglPUeo5Qjyc8hDjZUTWsVk>
Subject: Re: [TLS] comment on draft-kinnear-tls-client-net-address
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2019 14:07:55 -0000
On Wednesday, 27 March 2019 14:51:43 CET Martin Thomson wrote:
> On Tue, Mar 26, 2019, at 14:30, Hubert Kario wrote:
> > On Tuesday, 26 March 2019 09:07:51 CET Martin Thomson wrote:
> > > We don't trust that the key share or certificate is good either, but
> > > once we have a Finished message, that is retroactively authenticated
> > > and can be used. We rely on this property for a bunch of things.
> >
> > yes, but those things are part of the protocol, not destined for
> > application (or even if they are, they are actionable only after the
> > handshake finished)
> Yep, but that's something that QUIC relies on already. As does ALPN. And
> it is likely that there are other things that I can't think of in my
> current frazzled state.
how is ALPN similar?
a). the information gained by processing the handshake only up to
EncryptedExtensions with ALPN is "what protocol server is willing to use"
b). that information is useful _only_ for establishing future _TLS_
connections and guides what happens _after_ the handshake is finished
OTOH, the information gained from client-net-address is useful outside the TLS
scope
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
- [TLS] comment on draft-kinnear-tls-client-net-add… Hubert Kario
- Re: [TLS] comment on draft-kinnear-tls-client-net… David Schinazi
- Re: [TLS] comment on draft-kinnear-tls-client-net… Hubert Kario
- Re: [TLS] comment on draft-kinnear-tls-client-net… David Schinazi
- Re: [TLS] comment on draft-kinnear-tls-client-net… Hubert Kario
- Re: [TLS] comment on draft-kinnear-tls-client-net… Martin Thomson
- Re: [TLS] comment on draft-kinnear-tls-client-net… Hubert Kario
- Re: [TLS] comment on draft-kinnear-tls-client-net… Martin Thomson
- Re: [TLS] comment on draft-kinnear-tls-client-net… Hubert Kario