Re: [TLS] sessions, contexts, etc.
David-Sarah Hopwood <david-sarah@jacaranda.org> Thu, 31 December 2009 02:17 UTC
Return-Path: <djhopwood@googlemail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ECA4B3A6956 for <tls@core3.amsl.com>; Wed, 30 Dec 2009 18:17:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.84
X-Spam-Level:
X-Spam-Status: No, score=-1.84 tagged_above=-999 required=5 tests=[AWL=-0.730, BAYES_05=-1.11]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id saxscm0qzfaF for <tls@core3.amsl.com>; Wed, 30 Dec 2009 18:17:16 -0800 (PST)
Received: from mail-ew0-f214.google.com (mail-ew0-f214.google.com [209.85.219.214]) by core3.amsl.com (Postfix) with ESMTP id A41BD3A69E6 for <tls@ietf.org>; Wed, 30 Dec 2009 18:17:15 -0800 (PST)
Received: by ewy6 with SMTP id 6so11084386ewy.29 for <tls@ietf.org>; Wed, 30 Dec 2009 18:16:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:content-type; bh=8HhBvpWqyhTRen2z07ctEXPjpGxka/Dm/ed5PyVKXRs=; b=d30n8E9jQju4oDBn4/WemPT5W/FHO0OfFrQeUGpcKy1Gd8Xg41S0XH4RNTIDQo1GrY hgTLgYYhWLtgWfIQ+G/BPQP3SjahHbpstPpleVIdU6zptoWoYwqygP00ypN+PVw6r9pR n6JMFqqTqzGcm6XK10RFElCBcDyoRS3BS32GI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:content-type; b=TsIq31i0C0T73HA6JSIYXqjHO50prElY+JtpFxjD3urA/qRi6fjAujwpgrxkNJS8tq yApm2UMtz5+0Pt8enXITUVKEtZO8+UBBuaRJmwpve1DyYBKcdDCd6O0A1N5iyVUKi0OH Qioi5F0PH1xvMlmdEC3NnDAMxMSchRM+IePXo=
Received: by 10.213.42.210 with SMTP id t18mr7331538ebe.49.1262225812223; Wed, 30 Dec 2009 18:16:52 -0800 (PST)
Received: from ?192.168.0.2? (5e058d2d.bb.sky.com [94.5.141.45]) by mx.google.com with ESMTPS id 14sm9932128ewy.7.2009.12.30.18.16.50 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 30 Dec 2009 18:16:51 -0800 (PST)
Sender: David-Sarah Hopwood <djhopwood@googlemail.com>
Message-ID: <4B3C0976.7020405@jacaranda.org>
Date: Thu, 31 Dec 2009 02:16:22 +0000
From: David-Sarah Hopwood <david-sarah@jacaranda.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.3) Gecko/20070326 Thunderbird/2.0.0.0 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: tls@ietf.org
References: <3561bdcc0912301646p65923143t1b138fb17b75d9@mail.gmail.com>
In-Reply-To: <3561bdcc0912301646p65923143t1b138fb17b75d9@mail.gmail.com>
X-Enigmail-Version: 0.96.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------enig4E7490C5F99214D91B54A003"
Subject: Re: [TLS] sessions, contexts, etc.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Dec 2009 02:17:18 -0000
Ravi Ganesan wrote: > Each node can spawn a child node using three different techniques as > follows: > > i) A node can create a child-node by performing an abbreviated handshake. > Such an abbreviated-child inherits the session-id, the shared master-secret > and the authentication-knowledge, from its parent (these CANNOT change). It > gets new client-random, server-random and starts afresh with > renegotiation-information. This technique of spawning a child node is > usually used for efficiency considerations (abbrv. handshake requires no PKI > operations, which is why it cannot be used to update > authentication-knowledge of the other end either). The creation of such a > child-node does NOT result in the previous node becoming inactive. > > ii) A node can create a child node by performing renegotiation, followed by > a full handshake. Such a full-renego-child, starts afresh with new values > for all of the first five parameters. The only parameter which keeps it tied > to this tree is the renegotiation-information, which is derived from the > handshake and the parent-node's renegotiation-information. The primary > use-case for this technique is to update authentication-knowledge of the > Server (i.e. does it know who the Client is?). The creation of such a child > node means the parent node can no longer be used. That (the last sentence) is not the case, as far as I'm aware. Renegotiating on some connection currently associated with a session does not mean that that session can no longer be resumed. > iii) A node can create a child node by performing renegotiation followed by > an abbreviated handshake. Such a abbrv-renego-child inherits the session-id, > shared-master-secret and authentication-information of its parent. There is > a new client-random and server-random, and as in a full-renego-child, the > renegotiation-information is derived from the handshake and the the > renegotiation-information of its parent. I do not know why this use-case > exists; the encryption/hashing keys change but it is questionable if that > adds any protection. The creation of such a child node means the parent node > can no longer be used. Ditto. -- David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
- Re: [TLS] sessions, contexts, etc. Ravi Ganesan
- Re: [TLS] sessions, contexts, etc. David-Sarah Hopwood
- Re: [TLS] sessions, contexts, etc. tom.petch