RE: [TLS] RFC 4507bis
"Joseph Salowey \(jsalowey\)" <jsalowey@cisco.com> Wed, 01 August 2007 05:17 UTC
Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IG6Zw-0004Rx-7H; Wed, 01 Aug 2007 01:17:00 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IG6Zv-0004Rp-D2 for tls@ietf.org; Wed, 01 Aug 2007 01:16:59 -0400
Received: from sj-iport-1-in.cisco.com ([171.71.176.70] helo=sj-iport-1.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IG6Zu-0007f3-PR for tls@ietf.org; Wed, 01 Aug 2007 01:16:59 -0400
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-1.cisco.com with ESMTP; 31 Jul 2007 22:16:58 -0700
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ao8CACq0r0arR7PD/2dsb2JhbAA
X-IronPort-AV: i="4.19,206,1183359600"; d="scan'208"; a="11483912:sNHT14588826"
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id l715Gwot011853; Tue, 31 Jul 2007 22:16:58 -0700
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id l715Gl6Q015336; Wed, 1 Aug 2007 05:16:58 GMT
Received: from xmb-sjc-225.amer.cisco.com ([128.107.191.38]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 31 Jul 2007 22:16:57 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [TLS] RFC 4507bis
Date: Tue, 31 Jul 2007 22:17:02 -0700
Message-ID: <AC1CFD94F59A264488DC2BEC3E890DE5043F329D@xmb-sjc-225.amer.cisco.com>
In-Reply-To: <46ACC722.8080702@pobox.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [TLS] RFC 4507bis
Thread-Index: AcfSAXbyDC75dAGYRzO0SfZt8aQjOAB+SMLw
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: Mike <mike-list@pobox.com>, tls@ietf.org
X-OriginalArrivalTime: 01 Aug 2007 05:16:57.0882 (UTC) FILETIME=[2ECD7FA0:01C7D3FB]
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=3061; t=1185945418; x=1186809418; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jsalowey@cisco.com; z=From:=20=22Joseph=20Salowey=20\(jsalowey\)=22=20<jsalowey@cisco.com> |Subject:=20RE=3A=20[TLS]=20RFC=204507bis |Sender:=20; bh=hQ5+3Ba5bd9qaDLbXfQaHSjXMKChsr8EjLcUxI9qvwQ=; b=KaALR/MKj3LbT5iJ7mVE68w8i8gw9otHmS1occjRXMd+6c/LDr0FbQtM+FX20hVt9wYp3snT r6X4Gg0k1jvBVamLM+pvlA39a6o9MNkvahYpUk0u3/RmIHFYVA1lefFY;
Authentication-Results: sj-dkim-3; header.From=jsalowey@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
X-Spam-Score: -4.0 (----)
X-Scan-Signature: bdc523f9a54890b8a30dd6fd53d5d024
Cc:
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Hi Mike, Thanks for reviewing the document, comments inline below: > -----Original Message----- > From: Mike [mailto:mike-list@pobox.com] > Sent: Sunday, July 29, 2007 9:58 AM > To: tls@ietf.org > Subject: [TLS] RFC 4507bis > > I'm working on adding support for RFC 4507 to my code and > have found a few issues with the draft. > > - Should the NewSessionTicket message be included > in the hash used to create/verify the Finished > message. I believe it should since it's a > handshake message, but it's not stated anywhere. > I think it would be a good idea to specifically > state that it is. > [Joe]It is part of the TLS hello message and is therefore included in the finished message. This is part of the TLS extensions spec. I'm not sure we need to clarify it here. > - Is it legal for the server to resume a session > and not provide a NewSessionTicket? The message > flow I'm referring to would look like this: > > Client Server > ClientHello > (SessionTicket extension) --> > ServerHello > (no SessionTicket extension) > [ChangeCipherSpec] > <-- Finished > [ChangeCipherSpec] > Finished --> > Application Data <-> Application Data > > If this is not allowed, it should probably be > stated that when a server resumes a session using > a SessionTicket, it MUST send an empty Session > Ticket extension and a NewSessionTicket message > (optionally with an empty ticket). > [Joe] It is legal to not provide a new session ticket if you do not provide an empty session ticket extension from the server. However if you include an empty session ticket extension from the server you must provide a NewSessionTicket message (which may be empty). Some other reviewers have had similar comments, is there a place where the text could be clearer? > - It may be useful to state that the MAC computation > in the ticket is over the encrypted contents to > be able to quickly reject a ticket and not have to > perform a decryption first. > [Joe] This is a implementation detail that I'm not sure we need to go into in the specification. > - Should HMAC-SHA256 be recommended instead of > HMAC-SHA1? > [Joe] I was under the impression that most people were OK with HMAC-SHA-1 use for the foreseeable future. If this is not the case we can probably change it to HMAC-SHA-256. > - StatePlaintext needs more data fields when TLS > extensions are used such as max fragment length. > This should be obvious, but it wouldn't hurt to > state. > > Mike > > _______________________________________________ > TLS mailing list > TLS@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/tls > _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] RFC 4507bis Mike
- Re: [TLS] RFC 4507bis jwkckid1
- RE: [TLS] RFC 4507bis Joseph Salowey (jsalowey)
- Re: [TLS] RFC 4507bis Mike
- Re: [TLS] RFC 4507bis Dr Stephen Henson
- Re: [TLS] RFC 4507bis Dr Stephen Henson
- Re: [TLS] RFC 4507bis Mike