[TLS] Application state binding with TLS session state
Chris Newman <Chris.Newman@Sun.COM> Thu, 06 September 2007 19:47 UTC
Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1ITNKD-0003EE-4E; Thu, 06 Sep 2007 15:47:37 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1ITNKB-00037q-9s for tls@ietf.org; Thu, 06 Sep 2007 15:47:35 -0400
Received: from brmea-mail-2.sun.com ([192.18.98.43]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1ITNK9-0000Z2-Uf for tls@ietf.org; Thu, 06 Sep 2007 15:47:35 -0400
Received: from fe-amer-05.sun.com ([192.18.108.179]) by brmea-mail-2.sun.com (8.13.6+Sun/8.12.9) with ESMTP id l86JlWXW000468 for <tls@ietf.org>; Thu, 6 Sep 2007 19:47:32 GMT
Received: from conversion-daemon.mail-amer.sun.com by mail-amer.sun.com (Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006)) id <0JNY00001OL0RZ00@mail-amer.sun.com> (original mail from Chris.Newman@Sun.COM) for tls@ietf.org; Thu, 06 Sep 2007 13:47:32 -0600 (MDT)
Received: from [10.1.110.5] (24-205-138-209.dhcp.psdn.ca.charter.com [24.205.138.209]) by mail-amer.sun.com (Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006)) with ESMTPSA id <0JNY00HT8PMQGL20@mail-amer.sun.com> for tls@ietf.org; Thu, 06 Sep 2007 13:47:17 -0600 (MDT)
Date: Thu, 06 Sep 2007 12:48:09 -0700
From: Chris Newman <Chris.Newman@Sun.COM>
To: tls@ietf.org
Message-id: <46531FFA79FDBFFC04403B38@[10.0.1.3]>
MIME-version: 1.0
X-Mailer: Mulberry/3.1.6 (Mac OS X)
Content-type: text/plain; format="flowed"; charset="us-ascii"
Content-transfer-encoding: 7bit
Content-disposition: inline
X-Spam-Score: -1.0 (-)
X-Scan-Signature: 8abaac9e10c826e8252866cbe6766464
Cc:
Subject: [TLS] Application state binding with TLS session state
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
During IESG review of draft-salowey-tls-rfc4507bis, I raised this issue: --- If an application performs user-level authentication subsequent to initiation of the TLS tunnel (e.g. via GSSAPI or SASL), it would be possible for the application to trigger a TLS-level renegotiation that includes a NewSessionTicket embedding information about the app-level authentication. Alternatively, the application could have a mechanism to bind the user-level authentication to a given session ticket (although this would involve server state). Then on re-connection, the application could use app-level mechanisms to automatically resume the user session (e.g. IMAP PREAUTH or SASL EXTERNAL). It's not clear to me if this is a good/bad idea, what the security risks would be, or if TLS stacks should be advised to include APIs to facilitate such use of the mechanism. This document is silent on such interaction with applications. Were this a first version, I'd ask for this issue to be considered and addressed if there was consensus. But I don't want to delay an obvious bugfix to an already published RFC. --- We felt this issue would require significant WG discussion to address and it was more important to get the 4507 bugfix out promptly. However, I do want the working group to consider this and decide what to do about it. As there's a general issue of binding application state to a TLS session, some text in the TLS 1.2 specification addressing this might be appropriate. What do others think about this topic? - Chris _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Application state binding with TLS session … Chris Newman
- RE: [TLS] Application state binding with TLS sess… Pasi.Eronen
- Re: [TLS] Application state binding with TLS sess… Eric Rescorla