RE: [TLS] Comments on TLS identity protection
<Pasi.Eronen@nokia.com> Wed, 20 December 2006 14:32 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gx2Ux-0006pc-Cz; Wed, 20 Dec 2006 09:32:47 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gx2Uw-0006pT-2t for tls@ietf.org; Wed, 20 Dec 2006 09:32:46 -0500
Received: from smtp.nokia.com ([131.228.20.171] helo=mgw-ext12.nokia.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Gx2Ur-0003Rl-Iw for tls@ietf.org; Wed, 20 Dec 2006 09:32:46 -0500
Received: from esebh108.NOE.Nokia.com (esebh108.ntc.nokia.com [172.21.143.145]) by mgw-ext12.nokia.com (Switch-3.2.5/Switch-3.2.5) with ESMTP id kBKEVVRQ023879; Wed, 20 Dec 2006 16:32:03 +0200
Received: from esebh103.NOE.Nokia.com ([172.21.143.33]) by esebh108.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 20 Dec 2006 16:32:35 +0200
Received: from esebe105.NOE.Nokia.com ([172.21.143.53]) by esebh103.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 20 Dec 2006 16:32:35 +0200
x-mimeole: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [TLS] Comments on TLS identity protection
Date: Wed, 20 Dec 2006 16:32:35 +0200
Message-ID: <B356D8F434D20B40A8CEDAEC305A1F24038FD72F@esebe105.NOE.Nokia.com>
In-Reply-To: <458943DC.7020303@isima.fr>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [TLS] Comments on TLS identity protection
Thread-Index: AcckQFsfKkRgmyGGToa1t4nCYSWEyQAACPvg
From: Pasi.Eronen@nokia.com
To: badra@isima.fr
X-OriginalArrivalTime: 20 Dec 2006 14:32:35.0736 (UTC) FILETIME=[B12E5180:01C72443]
X-Nokia-AV: Clean
X-Spam-Score: 0.2 (/)
X-Scan-Signature: e1e48a527f609d1be2bc8d8a70eb76cb
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
badra wrote: > Pasi.Eronen@nokia.com a écrit : > > If the extra computations occur only in very rare situations, > > it's perfectly reasonable not to care about it > > I disagree. Anybody can connect to your server at any time and > doing uncompleted double handshake. It is not a rare situation. Do you have any data to back that claim? The fact that anybody can connect at any time does not automatically imply that lots of people are connecting all the time! (And in particular, lots of people without client certificates connecting all the time to servers that always require client authentication, and without malicious intent to DoS the server.) > > (at least sufficiently to spend the $$$ for designing, > > implementing, testing, deploying, etc. a new mechanism). > > How much :). The proposed changes are minimal. To get widespread deployment, several TLS implementations would have to be updated, e.g. Microsoft Schannel, OpenSSL, Mozilla NSS, JSSE, GnuTLS, etc. Getting any change, no matter how "minimal", to them is not easy. > > I think deployment-wise, double handshake has the advantage > > that it's already specified and implemented. > > Any link to test the implementation, please? Pick your favorite TLS implementation! There are at least couple of dozen of them (though probably not all of them support renegotiation). Some of my favourites (which seem to support renegotiation) are http://www.openssl.org/ and http://www.gnutls.org/ -- but no doubt there are other ones that are equally good. Best regards, Pasi _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection badra
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection Kyle Hamilton
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Peter Williams
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- RE: [TLS] Comments on TLS identity protection Peter Williams
- RE: [TLS] Comments on TLS identity protection Peter Williams
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Pasi.Eronen
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Pasi.Eronen
- Re: [TLS] Comments on TLS identity protection Bodo Moeller
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Pasi.Eronen
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Pasi.Eronen
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- RE: [TLS] Comments on TLS identity protection Peter Williams
- Re: [TLS] Comments on TLS identity protection badra
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection badra
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection Badra
- Re: [TLS] Comments on TLS identity protection Omirjan Batyrbaev
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection EKR
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection Martin Rex
- RE: [TLS] Comments on TLS identity protection Peter Williams
- Re: [TLS] Comments on TLS identity protection EKR
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection EKR
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection EKR
- Re: [TLS] Comments on TLS identity protection home_pw