Re: [TLS] Collisions (Re: Consensus Call: FNV vs SHA1)

Marsh Ray <marsh@extendedsubset.com> Tue, 11 May 2010 19:52 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4CFBC3A6896 for <tls@core3.amsl.com>; Tue, 11 May 2010 12:52:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.716
X-Spam-Level:
X-Spam-Status: No, score=-0.716 tagged_above=-999 required=5 tests=[AWL=0.024, BAYES_20=-0.74]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8o3RQkYk6FeM for <tls@core3.amsl.com>; Tue, 11 May 2010 12:52:26 -0700 (PDT)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id 731393A69CD for <tls@ietf.org>; Tue, 11 May 2010 12:51:37 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1OBvUE-000L4q-Fj; Tue, 11 May 2010 19:51:26 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 2CC49631D; Tue, 11 May 2010 19:51:23 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX184V4PzkcA0EHTI7qK+nevZRz0DjpT4bCE=
Message-ID: <4BE9B53C.9060702@extendedsubset.com>
Date: Tue, 11 May 2010 14:51:24 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100216 Thunderbird/3.0.2
MIME-Version: 1.0
To: Nicolas Williams <Nicolas.Williams@oracle.com>
References: <AC1CFD94F59A264488DC2BEC3E890DE50A43B479@xmb-sjc-225.amer.cisco.com> <20100510190954.GV9429@oracle.com> <87r5lj4eee.fsf@mocca.josefsson.org> <20100510215652.GA9429@oracle.com> <20100511192350.GS9429@oracle.com>
In-Reply-To: <20100511192350.GS9429@oracle.com>
X-Enigmail-Version: 1.0.1
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: Simon Josefsson <simon@josefsson.org>, tls@ietf.org
Subject: Re: [TLS] Collisions (Re: Consensus Call: FNV vs SHA1)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 May 2010 19:52:27 -0000

On 5/11/2010 2:23 PM, Nicolas Williams wrote:
> 
> Some of those devilish details:
> 
>  - Clients MUST NOT cache objects from failed handshakes.

Bad guy may see the impending failure and delay the client's recognition
of it arbitrarily.

>  - Clients MAY cache objects from succesful handshakes, and only when
>    the clients authenticate the server (including validation of the
>    server's cert chain to a TA).

It appears that in a large class of client applications, the client TLS
stack may not even know how to fully verify the certificate until he
returns to the application code. Commonly the TLS stack validates that
the server's cert chains to a TA, but the application code queries for
and checks the CN after-the-fact. The method for checking CN is
protocol-specific.

Does the current proposal give more semantic meaning to the exchange of
Finished messages than was expected by such an application?

>  - In particular there MUST NOT be any caching in cases where the server
>    is authenticated by the use of pre-shared certificates.

Sorry if I missed this earlier, what's special about PSK here?

>     - There must be no chance of caching objects when a user clicks
>       through one of those "give your money to the bad guys?" dialogs.

Haven't seen that one.

- Marsh