Re: [TLS] First TLS cached information draft posted
Stefan Santesson <stefan@aaa-sec.com> Fri, 05 June 2009 12:29 UTC
Return-Path: <stefan@aaa-sec.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 882863A687C for <tls@core3.amsl.com>; Fri, 5 Jun 2009 05:29:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[AWL=0.349, BAYES_00=-2.599, HELO_EQ_SE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r7wH4HQCKGpP for <tls@core3.amsl.com>; Fri, 5 Jun 2009 05:29:12 -0700 (PDT)
Received: from s87.loopia.se (s87.loopia.se [194.9.95.112]) by core3.amsl.com (Postfix) with ESMTP id 277AA3A6872 for <TLS@ietf.org>; Fri, 5 Jun 2009 05:29:11 -0700 (PDT)
Received: (qmail 98410 invoked from network); 5 Jun 2009 12:29:16 -0000
Received: from s34.loopia.se (HELO s42.loopia.se) ([194.9.94.70]) (envelope-sender <stefan@aaa-sec.com>) by s87.loopia.se (qmail-ldap-1.03) with AES256-SHA encrypted SMTP for <TLS@ietf.org>; 5 Jun 2009 12:29:16 -0000
Received: (qmail 56993 invoked from network); 5 Jun 2009 12:29:11 -0000
Received: from 213-64-142-21-no153.business.telia.com (HELO [192.168.0.17]) (stefan@fiddler.nu@[213.64.142.21]) (envelope-sender <stefan@aaa-sec.com>) by s42.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for <simon@josefsson.org>; 5 Jun 2009 12:29:11 -0000
User-Agent: Microsoft-Entourage/12.17.0.090302
Date: Fri, 05 Jun 2009 14:29:10 +0200
From: Stefan Santesson <stefan@aaa-sec.com>
To: Simon Josefsson <simon@josefsson.org>
Message-ID: <C64EDC36.2762%stefan@aaa-sec.com>
Thread-Topic: First TLS cached information draft posted
Thread-Index: Acnl2Tn45WkNeU1LbEyc56lzw2NeDA==
In-Reply-To: <87fxeerjv3.fsf@mocca.josefsson.org>
Mime-version: 1.0
Content-type: text/plain; charset="ISO-8859-1"
Content-transfer-encoding: quoted-printable
Cc: TLS wg <TLS@ietf.org>
Subject: Re: [TLS] First TLS cached information draft posted
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jun 2009 12:29:13 -0000
Thank's Simon, Good comments and I agree to both of them. 1) Yes the intension is that if the server returns only 1 out of 2 objects, only the object returned will be replaced 2) If the server has indicated support of a cached object in the server hello, the requirement to replace that object with a hash should be a MUST. It turns out that it was not to late to cancel the submission, so I have already incorporated this in the 00 draft and resubmitted. If you follow the same link and hit "refresh" you will see the changes. /Stefan On 09-06-05 1:38 PM, "Simon Josefsson" <simon@josefsson.org> wrote: > Stefan Santesson <stefan@aaa-sec.com> writes: > >> I have finally incorporated the agreed changes to what previously was called >> the cached certs extension, now changed to the cached information extension, >> and submitted the first (00) TLS draft. >> >> The draft is available from the following staging URL until it¹s made >> available as a TLS draft. >> http://www.ietf.org/proceedings/staging/draft-ietf-tls-cached-info-00.txt > > I support this. I've seen 40kb handshakes due to the server return a > list of acceptable CAs, and that has generated some interop problems > with GnuTLS [1]. > > The document appears to be in good shape. I believe I could implement > the document if two (minor) concerns were resolved. > > First, this paragraph: > > Servers that receive an extended client hello containing a > "cached_information" extension, MAY indicate that they support one or > more of the cached information objects by including an extension of > type "cached_information" in the (extended) server hello, which SHALL > contain at least one CachedObject received from the client. > > The intention here appears under-specified. What does it mean if the > client sent two CachedObject's and the server just returned one of them? > One plausible interpretation would be that the server did not support > the hash/type-combination that were not returned. Enforcing that > interpretation is needed to resolve my second concern. > > I suggest to add a sentence: > > The CachedObject's returned by the server MUST include the types the > server supports and has accepted to replace with cached data. > > Secondly, this paragraph: > > After negotiation of the use of cached certificates has been > successfully completed (by exchanging hello messages including > "cached_certs" extensions), the server MAY replace the cached > information objects in its handshake messages with a corresponding > hash_value from CachedInformationHash that was included in the > cached_information extension of the server hello message. > > Why a MAY here? How would a client distinguish whether the server did > replace the data or not? Why not use the extended server hello to > return the supported types (as suggested above)? This appears to add > complexity for no particular reason, at least as far as I can > understand. > > I suggest to replace MAY with MUST here. > > Thanks, > /Simon > > [1] GnuTLS refuses large handshakes due to DoS concerns, and we had to > increase the limit.
- Re: [TLS] First TLS cached information draft post… Stefan Santesson
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Stefan Santesson
- Re: [TLS] First TLS cached information draft post… Martin Rex
- [TLS] First TLS cached information draft posted Stefan Santesson
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Stefan Santesson
- Re: [TLS] First TLS cached information draft post… Stefan Santesson
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Martin Rex
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Martin Rex
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Martin Rex
- Re: [TLS] First TLS cached information draft post… Martin Rex
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Min Huang
- Re: [TLS] First TLS cached information draft post… Min Huang
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Martin Rex
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Stefan Santesson
- Re: [TLS] First TLS cached information draft post… Stefan Santesson
- Re: [TLS] First TLS cached information draft post… Stefan Santesson
- Re: [TLS] First TLS cached information draft post… Stefan Santesson
- Re: [TLS] First TLS cached information draft post… Martin Rex
- Re: [TLS] First TLS cached information draft post… Martin Rex
- Re: [TLS] First TLS cached information draft post… Stefan Santesson
- Re: [TLS] First TLS cached information draft post… Stefan Santesson