Re: [TLS] TLS-OBC and channel-bound cookies as a new TLS CB type (Re: TLS-OBC proposal)

Dirk Balfanz <> Thu, 08 September 2011 21:20 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 76A7721F8B1B for <>; Thu, 8 Sep 2011 14:20:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -105.768
X-Spam-Status: No, score=-105.768 tagged_above=-999 required=5 tests=[AWL=0.208, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UnV07s3ktunX for <>; Thu, 8 Sep 2011 14:20:48 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 37F0721F8B23 for <>; Thu, 8 Sep 2011 14:20:48 -0700 (PDT)
Received: from ( []) by with ESMTP id p88LMcQe007414 for <>; Thu, 8 Sep 2011 14:22:38 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;; s=beta; t=1315516958; bh=24uJhSy8B4d2+B5e4OPEO04B/4Q=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=O1shf/6FZfCTNHMm04DRLbYtxeEoSwKvsaX69acC0nGALryo16YU2stDZYjpijZwc bFdxt4DdElfSYel540RCA==
DomainKey-Signature: a=rsa-sha1; s=beta;; c=nofws; q=dns; h=dkim-signature:mime-version:in-reply-to:references:date: message-id:subject:from:to:cc:content-type:x-system-of-record; b=EalUqUQ2MKvjCzvVjFBbr4OXTwPXYC4thcNc8NSq2Ohc51Zc0F2CPtOi85fS7Lvz5 rWpKqe8h9a18c08TwplSQ==
Received: from qwb7 ( []) by with ESMTP id p88LJbTc022001 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <>; Thu, 8 Sep 2011 14:22:36 -0700
Received: by qwb7 with SMTP id 7so581599qwb.33 for <>; Thu, 08 Sep 2011 14:22:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=3CXh2nqphvjal5uIIG45I+61zRlEhXAt3sYWiGksWnc=; b=oTBH0+gaozAOHWIuVLX4oKUc4GwHIcR0GKRxOgacRhBEWHuLoGn1wnEFDkKBTbjOu6 vJ895zcYfeRdYNHm8UhQ==
Received: by with SMTP id jq21mr938799qcb.243.1315516954441; Thu, 08 Sep 2011 14:22:34 -0700 (PDT)
MIME-Version: 1.0
Received: by with SMTP id jq21mr938794qcb.243.1315516954094; Thu, 08 Sep 2011 14:22:34 -0700 (PDT)
Received: by with HTTP; Thu, 8 Sep 2011 14:22:34 -0700 (PDT)
In-Reply-To: <>
References: <>
Date: Thu, 8 Sep 2011 14:22:34 -0700
Message-ID: <>
From: Dirk Balfanz <>
To: Nico Williams <>
Content-Type: multipart/alternative; boundary=0016e64ea93ebeaddc04ac74a8e0
X-System-Of-Record: true
Subject: Re: [TLS] TLS-OBC and channel-bound cookies as a new TLS CB type (Re: TLS-OBC proposal)
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 08 Sep 2011 21:20:49 -0000

On Thu, Sep 8, 2011 at 12:47 PM, Nico Williams <>wrote;wrote:

> One way to think about what you're proposing is this: you're proposing
> a new TLS session identification and resumption facility and a new
> channel binding type whose CB data that are unique for each session
> but the same for all connections in that session.
> The session ID here would be the client's ephemeral (private key
> thrown away between sessions) self-signed cert.
> Session resumption here would come in two forms: proper TLS session
> resumption, and new TLS sessions using an existing OBC.  For the
> latter case there'd be neither server-side state nor state cookies --
> clever!
> A digest of an OBC would be the CB data for the new CB type.

Yes, exactly! I try to say as much here: (look for my mention of RFC

> I find your idea very clever.
> The only downside is that we'd need two additional PK operations for
> all full handshakes.

Well, if you define "session" as something that survives full new
handshakes, I guess. I would still call it a new "session", but the same
"channel", but at this time we're mincing words...

> Note that we could instead use a new TLS CB type named, say,
> tls-session-unique, defined as follows: the CB data will be as for
> tls-unique for a TLS session's full handshake.  This would avoid the
> need to negotiate the use/non-use of OBC, and it'd avoid the need to
> add a pair of PK operations.  But it'd also make the system more
> dependent on TLS session resumption.  I suspect that given a choice of
> "more PK ops" vs "session resumption becomes more important" then
> people will prefer the former.
> Note too that what you propose fits RFC 5056 just fine.

Yes, I noticed that, too.


>  We could and
> should register a new CB type for OBC if OBC progresses.
> Nico
> --