Re: [TLS] Summarizing identity change discussion so far

Martin Rex <mrex@sap.com> Thu, 17 December 2009 23:47 UTC

From: Martin Rex <mrex@sap.com>
Message-Id: <200912172347.nBHNlT3s026032@fs4113.wdf.sap.corp>
To: mrex@sap.com
Date: Fri, 18 Dec 2009 00:47:29 +0100
In-Reply-To: <200912172145.nBHLjDUT018568@fs4113.wdf.sap.corp> from "Martin Rex" at Dec 17, 9 10:45:13 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
Cc: tls@ietf.org
Subject: Re: [TLS] Summarizing identity change discussion so far
Precedence: list
Reply-To: mrex@sap.com

Martin Rex wrote:
> 
> Maybe we should at least mention one valid reason for why a certificate
> may change in the Security Considerations: certificate update/renewal.
> 
> There were two scenarios mentioned where this seems to be a
> regular use case IIRC.  Was it gaming where they were using quite
> short-lived certificates and then XMPP, where they were using
> quite long-lived connections?

Thinking about the "valid reason" scenarios for certificate change,
I'm slightly concerned about a potential disconnect between the
original and the later certificates if the application designer
is a little sloppy.

If a design expects certificate renewal to be necessary
(either short lived-certs or long-lived connections) then it is
imperative that the application performs a full re-authentication
when the identity changes during renegotiation.
A simple certificate path validation could in some situations
subvert a limited-time access restriction.

Normally, you will need a specific certificate for initial authentication,
because it is used for some kind of app-level logon-operation
or ACL-check.  When a renegotiation needs to be performed because of
the expiration of the users cert, and the app does _not_ re-do the
authentication logon/ACL-check, but relies blindly on the
certificate path validation, then the user could simply use
an entirely different certificate with a longer validity during
renegotiation, succeed certificate path validation and keep
using the resource beyond the expiration of the original
access credential/certificate.

-Martin

[TLS] Summarizing identity change discussion so f… Pasi.Eronen
Re: [TLS] Summarizing identity change discussion … Blumenthal, Uri - 0662 - MITLL
Re: [TLS] Summarizing identity change discussion … Stephen Farrell
Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
Re: [TLS] Summarizing identity change discussion … Eric Rescorla
Re: [TLS] Summarizing identity change discussion … Marsh Ray
Re: [TLS] Summarizing identity change discussion … Marsh Ray
Re: [TLS] Summarizing identity change discussion … Martin Rex
Re: [TLS] Summarizing identity change discussion … Stefan Santesson
Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
Re: [TLS] Summarizing identity change discussion … Martin Rex
Re: [TLS] Summarizing identity change discussion … Michael Gray
Re: [TLS] Summarizing identity change discussion … Marsh Ray
Re: [TLS] Summarizing identity change discussion … Martin Rex
Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
Re: [TLS] Summarizing identity change discussion … Marsh Ray
Re: [TLS] Summarizing identity change discussion … Martin Rex
Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
Re: [TLS] Summarizing identity change discussion … Kyle Hamilton
Re: [TLS] Summarizing identity change discussion … Martin Rex
Re: [TLS] Summarizing identity change discussion … Marsh Ray
Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
Re: [TLS] Summarizing identity change discussion … Michael Gray
Re: [TLS] Summarizing identity change discussion … Martin Rex
Re: [TLS] Summarizing identity change discussion … Michael Gray
Re: [TLS] Summarizing identity change discussion … Marsh Ray
Re: [TLS] Summarizing identity change discussion … Martin Rex
Re: [TLS] Summarizing identity change discussion … Michael Gray
Re: [TLS] Summarizing identity change discussion … Kyle Hamilton
[TLS] OpenPGP Certs for TLS [was: Re: Summarizing… Daniel Kahn Gillmor
Re: [TLS] Summarizing identity change discussion … Martin Rex
Re: [TLS] Summarizing identity change discussion … Blumenthal, Uri - 0662 - MITLL
Re: [TLS] Summarizing identity change discussion … Kyle Hamilton
Re: [TLS] Summarizing identity change discussion … Martin Rex
Re: [TLS] Summarizing identity change discussion … Kyle Hamilton
Re: [TLS] Summarizing identity change discussion … Peter Saint-Andre
Re: [TLS] Summarizing identity change discussion … Peter Saint-Andre
Re: [TLS] Summarizing identity change discussion … Peter Saint-Andre
Re: [TLS] Summarizing identity change discussion … Peter Saint-Andre
Re: [TLS] Summarizing identity change discussion … David-Sarah Hopwood
Re: [TLS] Summarizing identity change discussion … Blumenthal, Uri - 0662 - MITLL
Re: [TLS] Summarizing identity change discussion … Marsh Ray
Re: [TLS] Summarizing identity change discussion … Joseph Salowey (jsalowey)
Re: [TLS] Summarizing identity change discussion … Stephen Farrell
Re: [TLS] Summarizing identity change discussion … Martin Rex
Re: [TLS] Summarizing identity change discussion … Nelson B Bolyard
Re: [TLS] Summarizing identity change discussion … Nasko Oskov
Re: [TLS] Summarizing identity change discussion … David-Sarah Hopwood
Re: [TLS] Summarizing identity change discussion … David-Sarah Hopwood
Re: [TLS] Summarizing identity change discussion … Joseph Salowey (jsalowey)
Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
Re: [TLS] Summarizing identity change discussion … Joseph Salowey (jsalowey)