Re: [TLS] Please discuss: draft-housley-evidence-extns-00 - use tocreate integrity-assured metadata
<home_pw@msn.com> Thu, 11 January 2007 22:27 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H58Oi-0001ox-RJ; Thu, 11 Jan 2007 17:27:48 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H58Og-0001nB-RQ for tls@ietf.org; Thu, 11 Jan 2007 17:27:46 -0500
Received: from bay0-omc2-s36.bay0.hotmail.com ([65.54.246.172]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H58Of-00086K-Bc for tls@ietf.org; Thu, 11 Jan 2007 17:27:46 -0500
Received: from hotmail.com ([65.55.131.18]) by bay0-omc2-s36.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Thu, 11 Jan 2007 14:27:44 -0800
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 11 Jan 2007 14:27:44 -0800
Message-ID: <BAY126-DAV8FD4869649239B55F9A9192B10@phx.gbl>
Received: from 70.142.20.165 by BAY126-DAV8.phx.gbl with DAV; Thu, 11 Jan 2007 22:27:44 +0000
X-Originating-IP: [70.142.20.165]
X-Originating-Email: [home_pw@msn.com]
X-Sender: home_pw@msn.com
From: home_pw@msn.com
To: "Kemp, David P." <DPKemp@missi.ncsc.mil>, tls@ietf.org
References: <FA998122A677CF4390C1E291BFCF59890667755B@EXCH.missi.ncsc.mil>
Subject: Re: [TLS] Please discuss: draft-housley-evidence-extns-00 - use tocreate integrity-assured metadata
Date: Thu, 11 Jan 2007 14:27:43 -0800
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail desktop 8.0.1223
X-MimeOLE: Produced By Microsoft MimeOLE V8.0.1223
X-OriginalArrivalTime: 11 Jan 2007 22:27:44.0709 (UTC) FILETIME=[B6F0DF50:01C735CF]
X-Spam-Score: 0.2 (/)
X-Scan-Signature: 244a2fd369eaf00ce6820a760a3de2e8
Cc:
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
> > Consumer-to-provider authentication (as opposed to > > consumer-to-provider's-TLS-accelerator) is needed, > > has both benefits and the abuse potential you are > > worried about, and is happening regardless of whether > > TLS is extended. [David] I got it from Page 12 of the I-D: For example, a client may request access to a resource provided by the server, provide sufficient authentication and authorization information grounds to convince the server to grant the requested access, and receive an affirmative response from the server. A record of TLS Handshake protocol messages representing this example may provide a sufficient record of the intent of both the client and the server. Wow. you got a lot more out of that paragraph than I did! Obviously the words must have much more loaded meanings that I realized (sufficient, convince, grant, affirm, record, intent). I thought it meant: (i) do a conventional client auth (and accept the TLS evidence extensions), and (ii) a signature comes back saying "you just authenticated to website URI x; we agree that use of this URI is subject to the terms and conditions attached in the signer's cert"). But. Ive clearly learned this is actually all about: 1 intent 2 SSL offloading. Your 1 point does clearly indicate out that the designers are FURTHERMORE making very specific (legalistic) claims about facilitating the signaling (and acceptance of?) intent. Perhaps this is too strong: its an issue that they are focused on, and intend their design to address its nature. IETF would be adopting that as a work item, if TLS Evidence becomes a work item. on point 2: I like the general analytical model your developing tho ...and the problem definition that IETF can certainly address, if it wants. Your essentially asserting that the signature may come from the website, rather than the loadbalancer that is doing SSL offloading, in an increasing number of IDCs. And, the semantics of the signature would involve reliance on a (signing) cert for the app-server - whose X>509 extensions express which Ts&Cs are now binding for that URI, located way back in the server farm. This is all good, and was stock VeriSign design work early on, that never went far, pending adoption of digital signatures for e-commerce. Again, the authors need to cater for grade C students (like me), not only grade A students. It has to be a "bit more" spelled out (e.g. loadbalancer, SSL offloading, consumer-to-provider-vs-loadbalancer). Its ever more interesting, tho., assuming the protocol's hashing of handshakes can be designed not to auto-fall foul of regulations affecting 450 million of the Internet's users. _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- Re: [TLS] Please discuss: draft-housley-evidence-… home_pw
- RE: [TLS] Please discuss: draft-housley-evidence-… Mark Brown
- Re: [TLS] Please discuss: draft-housley-evidence-… Martin Rex
- Re: [TLS] Please discuss: draft-housley-evidence-… home_pw
- RE: [TLS] Please discuss: draft-housley-evidence-… Kemp, David P.
- RE: [TLS] Please discuss: draft-housley-evidence-… Mark Brown
- Re: [TLS] Please discuss: draft-housley-evidence-… Martin Rex
- RE: [TLS] Please discuss: draft-housley-evidence-… Stefan Santesson
- Re: [TLS] Please discuss: draft-housley-evidence-… home_pw
- Re: [TLS] Please discuss: draft-housley-evidence-… Martin Rex
- Re: [TLS] Please discuss: draft-housley-evidence-… home_pw
- Re: [TLS] Please discuss: draft-housley-evidence-… Martin Rex
- RE: [TLS] Please discuss: draft-housley-evidence-… Kemp, David P.
- Re: [TLS] Please discuss: draft-housley-evidence-… home_pw
- Re: [TLS] Please discuss: draft-housley-evidence-… Martin Rex
- Re: [TLS] Please discuss: draft-housley-evidence-… Martin Rex
- RE: [TLS] Please discuss: draft-housley-evidence-… Mark Brown
- Re: [TLS] Please discuss: draft-housley-evidence-… Martin Rex
- Re: [TLS] Please discuss: draft-housley-evidence-… Martin Rex
- Re: [TLS] Please discuss: draft-housley-evidence-… Martin Rex
- Re: [TLS] Please discuss: draft-housley-evidence-… Nelson B Bolyard
- Re: [TLS] Please discuss: draft-housley-evidence-… Peter Gutmann
- Re: [TLS] Please discuss: draft-housley-evidence-… Omirjan Batyrbaev
- Re: [TLS] Please discuss: draft-housley-evidence-… Peter Gutmann
- Re: [TLS] Please discuss: draft-housley-evidence-… Steven M. Bellovin
- Re: [TLS] Please discuss: draft-housley-evidence-… home_pw
- Re: [TLS] Please discuss: draft-housley-evidence-… home_pw
- Re: [TLS] Please discuss: draft-housley-evidence-… Russ Housley
- Re: [TLS] Please discuss: draft-housley-evidence-… home_pw
- Re: [TLS] Please discuss: draft-housley-evidence-… Martin Rex
- Re: [TLS] Please discuss: draft-housley-evidence-… Martin Rex
- Re: [TLS] Please discuss: draft-housley-evidence-… Martin Rex
- Re: [TLS] Please discuss: draft-housley-evidence-… home_pw
- Re: [TLS] Please discuss: draft-housley-evidence-… Martin Rex
- Re: [TLS] Please discuss: draft-housley-evidence-… Martin Rex
- Re: [TLS] Please discuss: draft-housley-evidence-… Russ Housley
- RE: [TLS] Please discuss: draft-housley-evidence-… Peter Williams
- RE: [TLS] Please discuss: draft-housley-evidence-… Kemp, David P.
- Re: [TLS] Please discuss: draft-housley-evidence-… Peter Gutmann
- Re: [TLS] Please discuss: draft-housley-evidence-… Martin Rex
- RE: [TLS] Please discuss: draft-housley-evidence-… Peter Williams
- Re: [TLS] Please discuss: draft-housley-evidence-… Russ Housley
- RE: [TLS] Please discuss: draft-housley-evidence-… Peter Williams
- RE: [TLS] Please discuss: draft-housley-evidence-… Kemp, David P.