Re: [TLS] Summary of discussion regarding spontaneuous authentication

[Eric Rescorla <ekr@rtfm.com>]

On Wed, Oct 22, 2014 at 4:31 PM, Watson Ladd <watsonbladd@gmail.com> wrote:

> On Wed, Oct 22, 2014 at 3:04 AM, Martin Thomson
> <martin.thomson@gmail.com> wrote:
> > The update proposal that ekr sent around was discussed.
> >
> > The primary concern was that the properties of the connection were
> > considered to change with respect to authentication.  Any data
> > received before the authentication, or messages that appear partially
> > before and partially after would have ambiguous properties.
>
> Why is the proposal worse than fixed renegotiation in this regard? I
> agree, it's possible to simplify a lot by forcing reconnection to
> authenticate, but it isn't necessary to do so.
>
> >
> > Concerns were raised that having the authentication attest to data
> > that was sent prior to the authentication would expose us to a variety
> > of attacks that relied on confusion about the state of the connection.
> > There was also a concern that this would be difficult to analyse.
> >
> > It was pointed out that update was still interesting, but only from a
> > rekeying perspective, because that had far lesser risks and no real
> > API implications.
> >
> > If we decided to continue with Update, then we would have a place to
> > add a future extension that re-enabled this feature.
> >
> > I noted that the use case that renegotiation provides was not going to
> > be supported with the proposed Update message, since there was no
> > analogue for the HelloRequest message.
>
> As far as I can tell, not true with regard to HTTP. I believe (but may
> be wrong) that when a client is informed by a server it needs to
> authenticate to make a request, that this is done by an error code,
> not sending a HelloRequest message.


That's correct for RFC 7235 authentication (i.e.. Basic and Digest)
but not for TLS Client Authentication.

-Ekr