Re: [TLS] HTTP, Certificates, and TLS

Ilari Liusvaara <> Thu, 21 July 2016 18:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2B64C12D768 for <>; Thu, 21 Jul 2016 11:00:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.187
X-Spam-Status: No, score=-3.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TAu-7nlyqvEk for <>; Thu, 21 Jul 2016 11:00:03 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 6FE3E12D0B5 for <>; Thu, 21 Jul 2016 11:00:03 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 14F7284BE; Thu, 21 Jul 2016 21:00:02 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([IPv6:::ffff:]) by localhost ( [::ffff:]) (amavisd-new, port 10024) with ESMTP id CqZgM4mIAvIa; Thu, 21 Jul 2016 21:00:01 +0300 (EEST)
Received: from LK-Perkele-V2 ( []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 484DF2315; Thu, 21 Jul 2016 21:00:01 +0300 (EEST)
Date: Thu, 21 Jul 2016 20:59:56 +0300
From: Ilari Liusvaara <>
To: Martin Rex <>
Message-ID: <>
References: <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.6.0 (2016-04-01)
Archived-At: <>
Cc: Mike Bishop <>, "" <>
Subject: Re: [TLS] HTTP, Certificates, and TLS
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 21 Jul 2016 18:00:06 -0000

On Thu, Jul 21, 2016 at 07:08:04PM +0200, Martin Rex wrote:
> Martin Thomson wrote:
> > On 21 July 2016 at 18:41, Martin Rex <> wrote:
> >>    A server that implements this extension MUST NOT accept the request
> >>    to resume the session if the server_name extension contains a
> >>    different name.  Instead, it proceeds with a full handshake to
> >>    establish a new session.
> > 
> > If that's the only barrier to doing this, I'd be surprised.  The
> > prospect of having to overcome this is not at all daunting.
> No, that is only the tip of an iceberg, and you're going Titanic here.
> Really, this is about TLS session cache management (which is something
> very close to TLS) vs. Endpoint identification, i.e. interpreting
> end-entity certificates -- which is something that is explicitly
> outside of the scope of TLS (e.g. rfc2818 and rfc6125).
> Could you please describe the approach to session cache management that
> you're conceiving here? 

Well, I guess it would be reasonable to remember the server identites
on client side, but clear client identities on server side.

Especially the client identies are highly important: If the server
thinks any identity is valid that client thinks is invalid, that will
lead to attacks.

> In the original TLS architecture (up to TLSv1.2)
> TLS sessions are read-only after creation, and identities (certificates)
> are locked down.  Forgetting to cryptographically bind the communication
> identities into the session properties allowed the triple-handshake-attack.

No, THS was caused by failing to bind the exchange keys (I consider the
abstract of EMS RFC to be quite misleading).

> If you want to change any session properties (including certificates),
> you MUST perform a new full handshake, which creates a new session with
> new properties and a new session ID / session cache entry.

And thanks to all sorts of crypto restrictions, exchange keys have
nothing to do with certificates of any kind (all modes where they
have anything to do are banned), and that the exchange keys are properly

> Session resumption (and session resumption proposal) should operate
> based on requested properties (is there an existing session with the
> requested properties?) and this is conceptually independent from the
> app-level endpoint identification (such as rfc2818/rfc6125).
> The wording in rfc6066 is not optimal.  It should have better said:
> whenever a full handshake would result in selection of a different
> server certificate, then the server MUST perform a full handshake,
> in order to produce predictable/deterministic behaviour that is
> not side-effected by session cache management / session cache lifetime
> effects.  The principle of least surprise.

Within context of HTTP, the server authentication is about what
authorities the server is allowed to assert. And in responses, the
server always needs to pick the authority it asserts.

As long as one takes care that no authorities get lost, or that lost
authorities can be recovered if needed (and authroized), then the
behaviour will remain deterministic (modulo possibly few extra RTTs
to recover the lost authroties).

Now, client authentication is entierely different beast. The client
won't inherently assert its authority in HTTP, so the server view
of client authority damn better be subset of what client intended,
or you WILL get privilege escalation attacks.

>From that it follows that the client needs per-request control of
authorities it holds (if to assert them or to disclaim them).