Re: [TLS] Another [Well-deserved] attack on TLS CCA

Adam Langley <agl@google.com> Tue, 18 June 2013 18:39 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D96111E80F7 for <tls@ietfa.amsl.com>; Tue, 18 Jun 2013 11:39:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XO-vmEEGj88U for <tls@ietfa.amsl.com>; Tue, 18 Jun 2013 11:39:08 -0700 (PDT)
Received: from mail-we0-x22c.google.com (mail-we0-x22c.google.com [IPv6:2a00:1450:400c:c03::22c]) by ietfa.amsl.com (Postfix) with ESMTP id D746721E808E for <tls@ietf.org>; Tue, 18 Jun 2013 11:39:05 -0700 (PDT)
Received: by mail-we0-f172.google.com with SMTP id q56so3772788wes.3 for <tls@ietf.org>; Tue, 18 Jun 2013 11:39:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=CwGn7GK8n+6wo5gJDhgpKNAmF+AoUGF5JeF9CibG4QU=; b=OFMMONKMYz3+8y801Aulk/LttABnuW0sov8bypa0nQMh0Lq7Z50woqS5nPnh+wrMfg J7LZLFhgSdpJ1ic3zaDbAU5kNHt63ZHBBSs7HFglsA+IoFI3tOGkHhGK6vkVFcQhUkSk Ep34WKFxOIAB7zeYUAVp29hZl7DkM8/Gpc4tqoAu6bJVHf8kLJ19z+WpCCfQIIzkNZbZ +s4DaZGG7dG6gbr5GymkifrdNR5DQk235eUb1zrqg4/lt4/eitE7pW+9p6GQyivlG+zm OOSShNU2IrnQpmYOISJQaKPaTCRYBNapIFwSMHAlLpBOMvBFp3/5SmPrbMUIQOCKMMkS XfTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=CwGn7GK8n+6wo5gJDhgpKNAmF+AoUGF5JeF9CibG4QU=; b=kA+ralRkjo9Hi78HzPdsVyvJd7pkdG/hifwcAdd6lgs7oON/ce/rtpsD0x/gLqToCI bT+v8MgXXB+rebp3VtPO2HMAbBQu5uXPQG8lmfP/Bgsivi8TqR2/LmwAHpP2i8jWNOGT ieriQTE1PPhwXDXGIxX7tEQSy7LPAdLFHMeQ8Pqi0Yf0nQuI/JTeAi/1wIH4OkQJPfW8 mK/KbaxiGcBc91t2kOAlWValyYU2fARjWK6BFIffdQ7eFkvfNCv+mWjC/UEzzt8Xfe/9 2TSpM/6alj3oZT2BQkuMdTP/fay04kgtq2QUwrpCQgG4730H5NWwS7WtNKaijNCYeEOT WCkg==
MIME-Version: 1.0
X-Received: by 10.180.36.209 with SMTP id s17mr1807455wij.62.1371580744989; Tue, 18 Jun 2013 11:39:04 -0700 (PDT)
Received: by 10.216.62.73 with HTTP; Tue, 18 Jun 2013 11:39:04 -0700 (PDT)
In-Reply-To: <51C0A762.9030909@telia.com>
References: <51C0A762.9030909@telia.com>
Date: Tue, 18 Jun 2013 14:39:04 -0400
Message-ID: <CAL9PXLyDpHVErFjq80ryUdEgmD0LuwDVFmji_3ZFO4qSg5Pkbw@mail.gmail.com>
From: Adam Langley <agl@google.com>
To: Anders Rundgren <anders.rundgren@telia.com>
Content-Type: text/plain; charset="UTF-8"
X-Gm-Message-State: ALoCoQl9Ug8VYfwtHFWki8iPhp6N8OX1ol3N+Bmg27velo6t0GOXUYhtIOvhEV5ZKRMHt1Ggk1gRHf7e1/Atfrr/ZvQp/kmrT5Zr4aBNo0b4BIj3xvsUiGRBY1HxpUA2IQAbHsuXNr8UaltmzlORlvIIyMrRaO2WoYkm69UMQOnRZlKOc/m/B1F4ikkGw87meS2C4gYM+HWS
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Another [Well-deserved] attack on TLS CCA
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jun 2013 18:39:08 -0000

On Tue, Jun 18, 2013 at 2:30 PM, Anders Rundgren
<anders.rundgren@telia.com> wrote:
> Luckily for all users Google didn't select TLS CCA (Client Certificate
> Authentication) for their coming U2F system; only a moron would base a
> future consumer authentication system on a scheme that is only suited
> for VPN tunnels and invisible authentications like as ChannelID.

The U2F system originally did use client-side certificates. We changed
it to ChannelID, but not for the reasons you suggested, but rather as
explained in https://tools.ietf.org/html/draft-balfanz-tls-channelid-00#section-2


Cheers

AGL