[TLS] Unrelated (Re: [CHANNEL-BINDING] RESOLVED (Re: [sasl] lasgt call comments (st Call:)

Nicolas Williams <Nicolas.Williams@sun.com> Tue, 03 November 2009 22:39 UTC

Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 433933A67D6; Tue, 3 Nov 2009 14:39:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.045
X-Spam-Status: No, score=-6.045 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id L0ihQCu1fWuo; Tue, 3 Nov 2009 14:39:27 -0800 (PST)
Received: from sca-ea-mail-1.sun.com (sca-ea-mail-1.Sun.COM []) by core3.amsl.com (Postfix) with ESMTP id DB0C63A63EB; Tue, 3 Nov 2009 14:39:26 -0800 (PST)
Received: from dm-central-01.central.sun.com ([]) by sca-ea-mail-1.sun.com (8.13.7+Sun/8.12.9) with ESMTP id nA3Mdlwn022230; Tue, 3 Nov 2009 22:39:47 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM []) by dm-central-01.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id nA3MdlEV031945; Tue, 3 Nov 2009 15:39:47 -0700 (MST)
Received: from binky.Central.Sun.COM (localhost []) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id nA3MKkbG007579; Tue, 3 Nov 2009 16:20:46 -0600 (CST)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id nA3MKjmI007578; Tue, 3 Nov 2009 16:20:45 -0600 (CST)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Tue, 03 Nov 2009 16:20:45 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: mrex@sap.com
Message-ID: <20091103222045.GI1105@Sun.COM>
References: <E1N5FLb-0003cr-Qk@wintermute01.cs.auckland.ac.nz> <200911031243.nA3ChGLw017926@fs4113.wdf.sap.corp>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <200911031243.nA3ChGLw017926@fs4113.wdf.sap.corp>
User-Agent: Mutt/1.5.7i
Cc: channel-binding@ietf.org, tls@ietf.org, sasl@ietf.org
Subject: [TLS] Unrelated (Re: [CHANNEL-BINDING] RESOLVED (Re: [sasl] lasgt call comments (st Call:)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Nov 2009 22:39:28 -0000

On Tue, Nov 03, 2009 at 01:43:16PM +0100, Martin Rex wrote:
> Peter Gutmann wrote:
> > Martin Rex <Martin.Rex@sap.com> writes:
> > >Microsoft's implementation (which could be the one referred to by
> > >Larry's implementation) has a silly design flaw in its TLS renogiation,
> > >and I'm not sure that the previous text is a way to fix it.
> > >
> > >It is possible to configure Microsoft IIS in a fashion so that it
> > >will first perform a TLS handshake with a server-only authentication,
> > >and after having received the HTTP request, it will re-negotiate and
> > >ask for a client certificate.
> > 
> I was refering to a design flaw in server-side session caching of
> Microsoft IIS (the Server) when it is configured to perform renegotiation
> in order to obtain a client certificate after having seen and evaluated
> the request.

Why is that a problem?  The request will have named a document, but if
you're using confidentiality protection then so what?  The client knows
the document name, and so does the server.  Authorization _correctly_
happens when the access request is made.  That the necessary user
authentication step is delayed until authorization is needed doesn't
strike me as a problem -- it's a feature.

After all some documents may have anonymous access, and some may
require user authentication.  If the server requested user
authentication prior to knowing what document the client wants to
access, then it will force an ugly interaction on users that only want
to access documents that require no user authentication.