RE: [TLS] Comments on TLS identity protection
Peter Williams <home_pw@msn.com> Wed, 20 December 2006 00:34 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GwpPU-00010L-7M; Tue, 19 Dec 2006 19:34:16 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GwpPS-0000yP-Qj for tls@ietf.org; Tue, 19 Dec 2006 19:34:14 -0500
Received: from bay0-omc1-s35.bay0.hotmail.com ([65.54.246.107]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GwpPR-0006Zh-7u for tls@ietf.org; Tue, 19 Dec 2006 19:34:14 -0500
Received: from BAY103-W5 ([65.54.174.105]) by bay0-omc1-s35.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Tue, 19 Dec 2006 16:34:12 -0800
X-Originating-IP: [75.209.237.5]
X-Originating-Email: [home_pw@msn.com]
Message-ID: <BAY103-W5869507984F7F64B2DE4292CF0@phx.gbl>
From: Peter Williams <home_pw@msn.com>
To: Kyle Hamilton <aerowolf@gmail.com>, martin.rex@sap.com
Subject: RE: [TLS] Comments on TLS identity protection
Date: Tue, 19 Dec 2006 16:34:12 -0800
MIME-Version: 1.0
X-OriginalArrivalTime: 20 Dec 2006 00:34:12.0746 (UTC) FILETIME=[92432EA0:01C723CE]
X-Spam-Score: 2.6 (++)
X-Scan-Signature: 3d7f2f6612d734db849efa86ea692407
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============2042951221=="
Errors-To: tls-bounces@lists.ietf.org
Id say the nth handshake can select to send "no server cert" whenever its cooperating to complete an anonymous-ciphersuite-targeted handshake. So, assume there are only two ciphers suite values in the HSM : RSA, RSA-ANON. on handshake 1, changecipherspec completes session state using RSA-derived master keying, having used/sent a server cert. On the second handshake, the server can no constrain the negotiation of ciphersuites to only offer only RSA-ANON. If the client accepts, if is accepting the possibility of no server auth (via certs). Of course, the second handshake is conducted within the SA of the first... which may well authenticate the server's public key anyways, without using certs for that function, enough to validate the signature on the server key agreement message. Thius is consitent with IETF's RFC 1421 practices, using public keys (only) from previous certificate-based sessions. Now, I'm delighted to be corrected on this, in theory or actual practice in commodity internet products. TLS's 1.0 "minor" changes to SSLv3 are still new to me. I never bothered to read the TLS 1.0 document carefully enough before, thus failing to recognize the notions of anon-ciphersuites, export-controlled key agreement , and its new fatal exception modes. now IETF has endorsed the notion of RSA ephemeral, we just dump the export control policy and exploit it! Im going to read TLS 1.1 much more carefully tomorrow. Ill try to backtrack any new control policy developments through TLS1.0 and back to SSL3. Im half hoping IETF already dumped RSA_EXPORT as arcane, or at least increased the key length after 6 years! > Date: Tue, 19 Dec 2006 15:41:57 -0700> From: aerowolf@gmail.com> To: martin.rex@sap.com> Subject: Re: [TLS] Comments on TLS identity protection> CC: tls@ietf.org> > On every renegotiation, does the server have to reauthenticate itself> (present its certificate again)? Or can the credential on the client> side be cached to avoid that duplication?> > -Kyle H> > On 12/19/06, Martin Rex <martin.rex@sap.com> wrote:> > Eric Rescorla wrote:> > >> > > Good point.> > >> > > However, as you say in most cases the request for client auth> > > is contingent upon seeing the request and so a rehandshake is> > > required here in any case. A one-pass protocol wouldn't work> > > here.> >> > Correct.> >> > I had the same thought but completely failed to point this out.> >> > In the not uncommon case with IIS renegotiating after having> > evaluated the HTTP(S)-request, the one-pass protocol can not> > be used.> >> > -Martin> >> > _______________________________________________> > TLS mailing list> > TLS@lists.ietf.org> > https://www1.ietf.org/mailman/listinfo/tls> >> > > -- > > -Kyle H> > _______________________________________________> TLS mailing list> TLS@lists.ietf.org> https://www1.ietf.org/mailman/listinfo/tls _________________________________________________________________ Get the Live.com Holiday Page for recipes, gift-giving ideas, and more. www.live.com/?addtemplate=holiday
_______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection badra
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection Kyle Hamilton
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Peter Williams
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- RE: [TLS] Comments on TLS identity protection Peter Williams
- RE: [TLS] Comments on TLS identity protection Peter Williams
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Pasi.Eronen
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Pasi.Eronen
- Re: [TLS] Comments on TLS identity protection Bodo Moeller
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Pasi.Eronen
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Pasi.Eronen
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- RE: [TLS] Comments on TLS identity protection Peter Williams
- Re: [TLS] Comments on TLS identity protection badra
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection badra
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection Badra
- Re: [TLS] Comments on TLS identity protection Omirjan Batyrbaev
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection EKR
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection Martin Rex
- RE: [TLS] Comments on TLS identity protection Peter Williams
- Re: [TLS] Comments on TLS identity protection EKR
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection EKR
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection EKR
- Re: [TLS] Comments on TLS identity protection home_pw