Re: [TLS] Please discuss: draft-housley-evidence-extns-00<
<home_pw@msn.com> Thu, 11 January 2007 00:52 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H4oBB-0007h3-JP; Wed, 10 Jan 2007 19:52:29 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H4oBA-0007gy-7g for tls@ietf.org; Wed, 10 Jan 2007 19:52:28 -0500
Received: from bay0-omc3-s24.bay0.hotmail.com ([65.54.246.224]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H4oB8-0006iE-J1 for tls@ietf.org; Wed, 10 Jan 2007 19:52:28 -0500
Received: from hotmail.com ([65.55.131.21]) by bay0-omc3-s24.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Wed, 10 Jan 2007 16:52:26 -0800
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 10 Jan 2007 16:52:25 -0800
Message-ID: <BAY126-DAV11C0BC4C2FFDCB20141E0792B10@phx.gbl>
Received: from 70.142.20.165 by BAY126-DAV11.phx.gbl with DAV; Thu, 11 Jan 2007 00:52:24 +0000
X-Originating-IP: [70.142.20.165]
X-Originating-Email: [home_pw@msn.com]
X-Sender: home_pw@msn.com
From: home_pw@msn.com
To: "Kemp, David P." <DPKemp@missi.ncsc.mil>, tls@ietf.org
Subject: Re: [TLS] Please discuss: draft-housley-evidence-extns-00<
Date: Wed, 10 Jan 2007 16:52:24 -0800
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="response"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail desktop 8.0.1223
X-MimeOLE: Produced By Microsoft MimeOLE V8.0.1223
X-OriginalArrivalTime: 11 Jan 2007 00:52:25.0807 (UTC) FILETIME=[C2DD8DF0:01C7351A]
X-Spam-Score: 0.2 (/)
X-Scan-Signature: b5d20af10c334b36874c0264b10f59f1
Cc:
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
> The purpose of the proposal is to explore options to > allow certificate-enabled clients to provide broadcast > (1-to-many) persistent authentication without having to > install SOA (WS-*) or other signing-capable plugins on > the client. It may or may not be architecturally a better > choice to do signing through Web Services vs. TLS. But > while you're crying crocodile tears over TLS's > "reputation" should it ever gain the ability to do > digital signatures, save a few for Vista and digital IDs. > > Consumer-to-provider authentication (as opposed to > consumer-to-provider's-TLS-accelerator) is needed, > has both benefits and the abuse potential you are > worried about, and is happening regardless of whether > TLS is extended. This is a fascinating interpretation of the purpose of the work item. So, lets explore it. I had personally NOT got ANY of this from the doc/author-disclosures , so far. Right now, it reads as "enforce subpoena on evidence retention". And it says, block connections, if you (once authenticated) are not clearly authorized and conforming to a mutually agreed data retention policy. But let assume its an "exploration"; i.e. it targets an experimental standard status. That I SUPPORT. Why ever would one not? Its for certificate-enabled clients. Well this only includes about >50% of the wifi(*) bindings made in the last 5 years of explosive wifi adoption by consumers...using EAP-TLS/TTLS to generate Russ Housley's TKIP keying material, for RC4 packet encryption of [TLS/TCP] fragments, by a nic/vlan (counter mode with nonce, and CBC-mode mac/mic/moc/muc). Given AEAP is entering TLS1.2, we can see connectionless TLS coming down the pipe (pun), where after 2**64 bytes, the plaintext of the fragment is finally released, post mac verification. That I support. Make the TCB's secured data store rather large, of course, if you are supporting 1000 connections! (1000* 2**64) Said "exploration" is about investigating (I) broadcast, and (II) persistent authentication. Lets take each, one at a time. Broadcast (1:n): ok I didn't get anything from the text that followed, except that its semantics will be ~equivalent to WS-Security. I didn't see any furtherance of the broadcast notion (which is an interesting term, to me). Presumably, given TLS1.2 will accept non-X.509 certs (e.g. SAML2/WS-Fed assertions), TLS Evidence will be an alternative to SAML/WS-Fed . It will keep the control in the network (where, arguably, it belongs). At the same time, if we look at the connectionless TLS fragment that comes with AEAP, perhaps we do have broadcast keying, in the final/connection KDFs? Persistence: Are you claiming this to intend to be an "https-connection-related stickiness mechanism"?I did NOT get this from ANY reading todate. But, its interesting (being clearly about "security engineering", at least). This would be in scope. They could have said that MORE OBVIOUSLY though! Why do I have to work so hard? I'm an awful writer, but these guys are Grade A students! That spec was beautifully written, apart from gross lack of context. Consumer-provider: I'll assume here you are making an allusion to the writer-to-reader concept from the DoD/NSA email world (which started out as something simple: the user agent software needs proof of user (I.e. human) presence, before rendering the de-ciphered confidential blob in the clear on a trusted display). I assume, we are attempting to now take that notion and evolve it...to a connection/session (versus an connectionless email). I'm interested. (I tried years ago, but could not convince you!! to even start thinking that we might go there...) (*) I had one of the earliest UFO-shaped Apple access points, that dialed out on a 33k modem upon 802.11 binding. I went out and got my own NIC, as I was one of the "wrong class" of participant to get one to play with, at an IETF) I could never figure its key management scheme was, so never turned it on! Apparently, I was one of a million grandpas, in this; we all just gave up. _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- Re: [TLS] Please discuss: draft-housley-evidence-… home_pw
- RE: [TLS] Please discuss: draft-housley-evidence-… Mark Brown
- Re: [TLS] Please discuss: draft-housley-evidence-… Martin Rex
- Re: [TLS] Please discuss: draft-housley-evidence-… home_pw
- RE: [TLS] Please discuss: draft-housley-evidence-… Kemp, David P.
- RE: [TLS] Please discuss: draft-housley-evidence-… Mark Brown
- Re: [TLS] Please discuss: draft-housley-evidence-… Martin Rex
- RE: [TLS] Please discuss: draft-housley-evidence-… Stefan Santesson
- Re: [TLS] Please discuss: draft-housley-evidence-… home_pw
- Re: [TLS] Please discuss: draft-housley-evidence-… Martin Rex
- Re: [TLS] Please discuss: draft-housley-evidence-… home_pw
- Re: [TLS] Please discuss: draft-housley-evidence-… Martin Rex
- RE: [TLS] Please discuss: draft-housley-evidence-… Kemp, David P.
- Re: [TLS] Please discuss: draft-housley-evidence-… home_pw
- Re: [TLS] Please discuss: draft-housley-evidence-… Martin Rex
- Re: [TLS] Please discuss: draft-housley-evidence-… Martin Rex
- RE: [TLS] Please discuss: draft-housley-evidence-… Mark Brown
- Re: [TLS] Please discuss: draft-housley-evidence-… Martin Rex
- Re: [TLS] Please discuss: draft-housley-evidence-… Martin Rex
- Re: [TLS] Please discuss: draft-housley-evidence-… Martin Rex
- Re: [TLS] Please discuss: draft-housley-evidence-… Nelson B Bolyard
- Re: [TLS] Please discuss: draft-housley-evidence-… Peter Gutmann
- Re: [TLS] Please discuss: draft-housley-evidence-… Omirjan Batyrbaev
- Re: [TLS] Please discuss: draft-housley-evidence-… Peter Gutmann
- Re: [TLS] Please discuss: draft-housley-evidence-… Steven M. Bellovin
- Re: [TLS] Please discuss: draft-housley-evidence-… home_pw
- Re: [TLS] Please discuss: draft-housley-evidence-… home_pw
- Re: [TLS] Please discuss: draft-housley-evidence-… Russ Housley
- Re: [TLS] Please discuss: draft-housley-evidence-… home_pw
- Re: [TLS] Please discuss: draft-housley-evidence-… Martin Rex
- Re: [TLS] Please discuss: draft-housley-evidence-… Martin Rex
- Re: [TLS] Please discuss: draft-housley-evidence-… Martin Rex
- Re: [TLS] Please discuss: draft-housley-evidence-… home_pw
- Re: [TLS] Please discuss: draft-housley-evidence-… Martin Rex
- Re: [TLS] Please discuss: draft-housley-evidence-… Martin Rex
- Re: [TLS] Please discuss: draft-housley-evidence-… Russ Housley
- RE: [TLS] Please discuss: draft-housley-evidence-… Peter Williams
- RE: [TLS] Please discuss: draft-housley-evidence-… Kemp, David P.
- Re: [TLS] Please discuss: draft-housley-evidence-… Peter Gutmann
- Re: [TLS] Please discuss: draft-housley-evidence-… Martin Rex
- RE: [TLS] Please discuss: draft-housley-evidence-… Peter Williams
- Re: [TLS] Please discuss: draft-housley-evidence-… Russ Housley
- RE: [TLS] Please discuss: draft-housley-evidence-… Peter Williams
- RE: [TLS] Please discuss: draft-housley-evidence-… Kemp, David P.