IETF Logo Mail Archive

Re: [TLS] concers about draft-balfanz-tls-obc

Nikos Mavrogiannopoulos <nmav@gnutls.org> Fri, 18 November 2011 09:19 UTC

Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34E7921F8876 for <tls@ietfa.amsl.com>; Fri, 18 Nov 2011 01:19:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wrJ0w1tctWHh for <tls@ietfa.amsl.com>; Fri, 18 Nov 2011 01:19:22 -0800 (PST)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id 704F821F8880 for <tls@ietf.org>; Fri, 18 Nov 2011 01:19:22 -0800 (PST)
Received: by wwe5 with SMTP id 5so4008046wwe.13 for <tls@ietf.org>; Fri, 18 Nov 2011 01:19:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=KhHFXF5bRoL+CtOzJy4uraUGkML+rUlRXPKXGcRacXM=; b=uWn38XSLEqM7gdo0qGpVz9CGiJ8ScDyx9cGziOTXAy9IEFpw0kEvVJq9khesq0jklz buRz9D3bl75xJnhU6b3ZDTpOy58vCww0d06hlnMoTFeG+fvmRHC/KC0g7JjA5tnoKy2d dlKiDi8k6FRqr2OAHA7kTHfkYsmmktvMjMNxE=
MIME-Version: 1.0
Received: by 10.216.80.88 with SMTP id j66mr217563wee.26.1321607961609; Fri, 18 Nov 2011 01:19:21 -0800 (PST)
Sender: n.mavrogiannopoulos@gmail.com
Received: by 10.180.24.162 with HTTP; Fri, 18 Nov 2011 01:19:21 -0800 (PST)
In-Reply-To: <OFC57A0976.6BDE818B-ON4825794C.0031B1B5-4825794C.00326539@zte.com.cn>
References: <OFC57A0976.6BDE818B-ON4825794C.0031B1B5-4825794C.00326539@zte.com.cn>
Date: Fri, 18 Nov 2011 10:19:21 +0100
X-Google-Sender-Auth: 57MLg3jK16KG8sKhZRF7ayXxUyQ
Message-ID: <CAJU7zaL53sFXAV3BOk_+vb8_DhWYU5sQL56rGowA=kFz0X6i2A@mail.gmail.com>
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
To: zhou.sujing@zte.com.cn
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: tls@ietf.org
Subject: Re: [TLS] concers about draft-balfanz-tls-obc
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Nov 2011 09:19:23 -0000

On Fri, Nov 18, 2011 at 10:10 AM,  <zhou.sujing@zte.com.cn> wrote:
> Hi,
>    I don't think the origin-bound-certificate is meaningful.
>    The reasons are:
>    1. CA signed client certificate is used to authenticate the client user,
> now it is replaced by a self-signed certificate, how can a server trust or
> authenticate a self confirmed user?

Isn't it the current situation in web sites? Aren't all popular web
site's users self confirmed?

>    2. If client authentication is not required, then there is neither need
> to send a self-signed certificate.

I don't think that the draft asks for client to be authenticated when
client authentication is not required.

>    3. To the goal of bindling cookie with self-signed certificate, the
> ordinary CA signed certificates also work.

At a cost that no-one is willing to pay (not only monetary, but also
the cost of proving yourself to the CA --or the CA will allow
self-confirmation to the users? :).

regards,
Nikos

v2.23.0 | Report a Bug | By Email