Re: [TLS] TLS-OBC and channel-bound cookies as a new TLS CB type (Re: TLS-OBC proposal)

Dirk Balfanz <balfanz@google.com> Thu, 08 September 2011 21:20 UTC

Return-Path: <balfanz@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76A7721F8B1B for <tls@ietfa.amsl.com>; Thu, 8 Sep 2011 14:20:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.768
X-Spam-Level:
X-Spam-Status: No, score=-105.768 tagged_above=-999 required=5 tests=[AWL=0.208, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UnV07s3ktunX for <tls@ietfa.amsl.com>; Thu, 8 Sep 2011 14:20:48 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by ietfa.amsl.com (Postfix) with ESMTP id 37F0721F8B23 for <tls@ietf.org>; Thu, 8 Sep 2011 14:20:48 -0700 (PDT)
Received: from hpaq5.eem.corp.google.com (hpaq5.eem.corp.google.com [172.25.149.5]) by smtp-out.google.com with ESMTP id p88LMcQe007414 for <tls@ietf.org>; Thu, 8 Sep 2011 14:22:38 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1315516958; bh=24uJhSy8B4d2+B5e4OPEO04B/4Q=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=O1shf/6FZfCTNHMm04DRLbYtxeEoSwKvsaX69acC0nGALryo16YU2stDZYjpijZwc bFdxt4DdElfSYel540RCA==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=dkim-signature:mime-version:in-reply-to:references:date: message-id:subject:from:to:cc:content-type:x-system-of-record; b=EalUqUQ2MKvjCzvVjFBbr4OXTwPXYC4thcNc8NSq2Ohc51Zc0F2CPtOi85fS7Lvz5 rWpKqe8h9a18c08TwplSQ==
Received: from qwb7 (qwb7.prod.google.com [10.241.193.71]) by hpaq5.eem.corp.google.com with ESMTP id p88LJbTc022001 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <tls@ietf.org>; Thu, 8 Sep 2011 14:22:36 -0700
Received: by qwb7 with SMTP id 7so581599qwb.33 for <tls@ietf.org>; Thu, 08 Sep 2011 14:22:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=3CXh2nqphvjal5uIIG45I+61zRlEhXAt3sYWiGksWnc=; b=oTBH0+gaozAOHWIuVLX4oKUc4GwHIcR0GKRxOgacRhBEWHuLoGn1wnEFDkKBTbjOu6 vJ895zcYfeRdYNHm8UhQ==
Received: by 10.229.231.149 with SMTP id jq21mr938799qcb.243.1315516954441; Thu, 08 Sep 2011 14:22:34 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.231.149 with SMTP id jq21mr938794qcb.243.1315516954094; Thu, 08 Sep 2011 14:22:34 -0700 (PDT)
Received: by 10.229.56.8 with HTTP; Thu, 8 Sep 2011 14:22:34 -0700 (PDT)
In-Reply-To: <CAK3OfOi4p9fYgODZG6mn0u3YdZb_Nzh0_dZ0fDiGJYRRjVqi7g@mail.gmail.com>
References: <CAK3OfOi4p9fYgODZG6mn0u3YdZb_Nzh0_dZ0fDiGJYRRjVqi7g@mail.gmail.com>
Date: Thu, 8 Sep 2011 14:22:34 -0700
Message-ID: <CADHfa2DB=k0R93v50vJrhugvET5bnyXe9pYEvpug+HGHSJhVoA@mail.gmail.com>
From: Dirk Balfanz <balfanz@google.com>
To: Nico Williams <nico@cryptonector.com>
Content-Type: multipart/alternative; boundary=0016e64ea93ebeaddc04ac74a8e0
X-System-Of-Record: true
Cc: tls@ietf.org
Subject: Re: [TLS] TLS-OBC and channel-bound cookies as a new TLS CB type (Re: TLS-OBC proposal)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Sep 2011 21:20:49 -0000

On Thu, Sep 8, 2011 at 12:47 PM, Nico Williams <nico@cryptonector.com>wrote;wrote:

> One way to think about what you're proposing is this: you're proposing
> a new TLS session identification and resumption facility and a new
> channel binding type whose CB data that are unique for each session
> but the same for all connections in that session.
>
> The session ID here would be the client's ephemeral (private key
> thrown away between sessions) self-signed cert.
>
> Session resumption here would come in two forms: proper TLS session
> resumption, and new TLS sessions using an existing OBC.  For the
> latter case there'd be neither server-side state nor state cookies --
> clever!
>
> A digest of an OBC would be the CB data for the new CB type.
>

Yes, exactly! I try to say as much here:
http://www.browserauth.net/channel-bound-cookies (look for my mention of RFC
5929).


>
> I find your idea very clever.
>
> The only downside is that we'd need two additional PK operations for
> all full handshakes.
>

Well, if you define "session" as something that survives full new
handshakes, I guess. I would still call it a new "session", but the same
"channel", but at this time we're mincing words...


>
> Note that we could instead use a new TLS CB type named, say,
> tls-session-unique, defined as follows: the CB data will be as for
> tls-unique for a TLS session's full handshake.  This would avoid the
> need to negotiate the use/non-use of OBC, and it'd avoid the need to
> add a pair of PK operations.  But it'd also make the system more
> dependent on TLS session resumption.  I suspect that given a choice of
> "more PK ops" vs "session resumption becomes more important" then
> people will prefer the former.
>
> Note too that what you propose fits RFC 5056 just fine.


Yes, I noticed that, too.

Dirk.


>  We could and
> should register a new CB type for OBC if OBC progresses.
>
> Nico
> --
>