IETF Logo Mail Archive

Re: [TLS] First TLS cached information draft posted

Martin Rex <Martin.Rex@sap.com> Tue, 09 June 2009 13:52 UTC

Return-Path: <Martin.Rex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 94FCB3A6856 for <tls@core3.amsl.com>; Tue, 9 Jun 2009 06:52:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.249
X-Spam-Level:
X-Spam-Status: No, score=-6.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yv4sCLaH9KeJ for <tls@core3.amsl.com>; Tue, 9 Jun 2009 06:52:29 -0700 (PDT)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 92CD73A6819 for <TLS@ietf.org>; Tue, 9 Jun 2009 06:52:29 -0700 (PDT)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id n59DqYYW021001 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 9 Jun 2009 15:52:34 +0200 (MEST)
From: Martin Rex <Martin.Rex@sap.com>
Message-Id: <200906091352.n59DqX3N004203@fs4113.wdf.sap.corp>
To: simon@josefsson.org
Date: Tue, 09 Jun 2009 15:52:33 +0200
In-Reply-To: <87k53lh6d4.fsf@mocca.josefsson.org> from "Simon Josefsson" at Jun 9, 9 03:41:27 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: TLS@ietf.org
Subject: Re: [TLS] First TLS cached information draft posted
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jun 2009 13:52:30 -0000

Simon Josefsson wrote:
> >
> > Not quite.
> >
> > The caching extension is supposed to be generic, and the to-be-cached
> > real data may in some situations be quite short or even the same size
> > than the hash value (probably not for the server certificate caching,
> > but maybe for the list of certification authorities in the certificate
> > request message, which consists of distinguished names only, and
> > there could be just one very short DName (or none at all with TLS v1.1+)
> 
> Then why use the extension?  The point of the extension, as I understood
> it, is to replace large data with a small hash of the same data.  If the
> data is small, the extension doesn't serve any purpose and should not be
> used.  That is why I liked your suggestion to limit the use of the
> extension when the data is larger than 3x hash size.

Look at this:

Server supports caching of certificate_authorities list and runs with
a large list

Client connects, caches the long list and announces the hash of the
cached information on future reconnects

Server configuration is updated, certificate_authorities list
is cut down and now only contains one very short name.

Client connects again (having still cached the previous long list),
server indicates to support caching of that value in principle,
but returns the real data since the hash proposed by the client
no longer matches.

Client should now realize that the short data is the new real
data, should probably drop the cached value, and refrain from
further caching of the short value.


-Martin

v2.23.0 | Report a Bug | By Email