Re: [TLS] Why there should not be a TLS 2.0
Watson Ladd <watsonbladd@gmail.com> Sun, 08 June 2014 19:46 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D68D91A037B for <tls@ietfa.amsl.com>; Sun, 8 Jun 2014 12:46:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k_O7Jzf06Al0 for <tls@ietfa.amsl.com>; Sun, 8 Jun 2014 12:46:55 -0700 (PDT)
Received: from mail-yh0-x235.google.com (mail-yh0-x235.google.com [IPv6:2607:f8b0:4002:c01::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF00D1A037F for <tls@ietf.org>; Sun, 8 Jun 2014 12:46:54 -0700 (PDT)
Received: by mail-yh0-f53.google.com with SMTP id b6so543443yha.40 for <tls@ietf.org>; Sun, 08 Jun 2014 12:46:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=Gq84zm/3Jr3oKhrhm0kxuibkxCWaD4JSIWnlmcpFv4A=; b=BJjlKUagq0rVDzS3zgMKzx6gPr/kpCujRSOUXXqlCyGVBD8gB++o1qqDh9CHTEacsg 5LzEz2zpIiMUUlxqXrX9QwStsEsW9OEBRO0/ZLzvkDxoaIm1TQJZVIZCoeGCoeJl7/YH bVHGZiHbcavYOlQtzZIHUrg9RJ5I/kfUw9F8Pf/r7+nnKZ2zJyH2N0qHHIKGGEu+gsjW FzznOHptcAJjZ2WSqcaY2Y8HShevMfB0K1fbWOP3MniPrfvayU4J7rLRr8Eof0rqQsyD vyHwVPu9RvOEG0YIoaYsKLFs7jUkCzA9mUh5Eg1Juuyd5U6t63BymyjxKciV10LJvLYO 3bFA==
MIME-Version: 1.0
X-Received: by 10.236.1.229 with SMTP id 65mr3126184yhd.107.1402256814023; Sun, 08 Jun 2014 12:46:54 -0700 (PDT)
Received: by 10.170.39.136 with HTTP; Sun, 8 Jun 2014 12:46:53 -0700 (PDT)
In-Reply-To: <20140608154901.GG27883@mournblade.imrryr.org>
References: <CAMm+Lwiw0TO6D5qnfKFb26kg9-+mzCDHJNd9fMi+BrFf4rQaHA@mail.gmail.com> <20140608122758.GA10562@roeckx.be> <20140608154901.GG27883@mournblade.imrryr.org>
Date: Sun, 08 Jun 2014 12:46:53 -0700
Message-ID: <CACsn0cnAiyAXMhTK8+5h+V9M2B2D5boPN0mQJyF_Af=JOcPyvA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/3n2lAaSzpq-FlziczG_PGtQyGi4
Subject: Re: [TLS] Why there should not be a TLS 2.0
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Jun 2014 19:46:57 -0000
On Sun, Jun 8, 2014 at 8:49 AM, Viktor Dukhovni <viktor1dane@dukhovni.org> wrote: > On Sun, Jun 08, 2014 at 02:27:58PM +0200, Kurt Roeckx wrote: > >> I would imagine that the client would like to do a "please give me >> a tunnel to that hostname", and then get back some descriptor that >> it can use to talk to it. Please note that I say hostname, >> because I think that you can have several names each which it's >> own certificate on the same IP address. > > Yes, but stronger yet, one needs (ala GSSAPI + Kerberos, which for > all its limitations gets some things right) to be able to ask for > service@hostname, not just hostname. The underlying Kerberos > stack works with service/instance@REALM, which also makes sense. See also Ethos, where the network protocol authenticates services and users to each other. The kicker is services no longer need to authenticate users. > > We could define new DANE record formats for scalable public-key > cross realm authentication with Kerberos or a Kerberos-like system, > and DNSSEC for a suitably secure hostname->realm mapping. Or one could use a certificate format that supported this natively. The fact that TLS is (mostly) tied to X509 is a real shame when it comes to extending. Yes, you could define extensions for certificate type and use them: at some point SPKI may have been used this way. But as Viktor points out GSSAPI dominates this space (unfortunately: anonymous users are hard to rope in here). Sincerely, Watson Ladd > > -- > Viktor. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [TLS] Why there should not be a TLS 2.0 Phillip Hallam-Baker
- Re: [TLS] Why there should not be a TLS 2.0 Kurt Roeckx
- Re: [TLS] Why there should not be a TLS 2.0 Viktor Dukhovni
- Re: [TLS] Why there should not be a TLS 2.0 Watson Ladd
- Re: [TLS] Why there should not be a TLS 2.0 Viktor Dukhovni
- Re: [TLS] Why there should not be a TLS 2.0 Joseph Salowey (jsalowey)
- Re: [TLS] Why there should not be a TLS 2.0 Michael StJohns