Re: [TLS] Summarizing identity change discussion so far
Martin Rex <mrex@sap.com> Tue, 08 December 2009 20:44 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E1A4B3A692F for <tls@core3.amsl.com>; Tue, 8 Dec 2009 12:44:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.191
X-Spam-Level:
X-Spam-Status: No, score=-6.191 tagged_above=-999 required=5 tests=[AWL=0.058, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SYU0pMSo3q4H for <tls@core3.amsl.com>; Tue, 8 Dec 2009 12:44:56 -0800 (PST)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 9DB5A3A6918 for <tls@ietf.org>; Tue, 8 Dec 2009 12:44:56 -0800 (PST)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id nB8Kig6o024740 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 8 Dec 2009 21:44:42 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200912082044.nB8Kifxv006654@fs4113.wdf.sap.corp>
To: Pasi.Eronen@nokia.com
Date: Tue, 08 Dec 2009 21:44:41 +0100
In-Reply-To: <808FD6E27AD4884E94820BC333B2DB774F31D2391E@NOK-EUMSG-01.mgdnok.nokia.com> from "Pasi.Eronen@nokia.com" at Dec 8, 9 08:45:49 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal08
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Summarizing identity change discussion so far
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Dec 2009 20:44:58 -0000
Pasi.Eronen@nokia.com wrote: > > Marsh Ray wrote: > > Pasi.Eronen@nokia.com wrote: > > > > > > The security considerations section of this draft has to describe the > > > fact that even with this fix, renegotiation does things that will > > > surprise application developers, I fully agree. > > > > Does it? This fix ensures that the same party is on each end for the > > entire connection. This rules out a MitM switching connections around. The secure TLS renegotiation _ONLY_ assures that the TLS endpoint can not be tranferred among different peers without their _consent_ during renegotiation. An MitM attacker is someone acting without consent. As long as switching of the identity is permitted during renegotiation (which it currently is), there is only a vague concept of "party" at the other end. > > > If we make any recommendations for TLS libraries it should be to > > not do renegotiation unless the application asks for it by > > registering a callback. Clients usually do _not_ want renegotiation, but they have no say in the TLS handshake. It is the Server which decides whether to ask for a certificate on the initial handshake or whether the server wants to make up his mind only after having seen the clients request. The issue is often usability / user-experience. If you ask a Browser for a certificate on the initial connect, it will result in a popup windows to the user, even if that user has no certificate. It is possible to configure the browser to suppress this popup, but often the browser has only a single configuration option that says "select automatically", and that does actually two different things, i.e. use a client certificate when the request from the server matches exactly one client cert -- an the latter is something one might want _not_ to happen automatically--in contrast to automatic reply that no client cert is available. > > I think the fact that "getPeerCertificate()" and similar API calls > can return a different value each time they're called would be a > surprise to most app developers. Definitely. > > Well, although the example in James Manger's email is not real (in the > sense that it's not from real code), I think it's plausible, and it > doesn't involve an app already coded for switching identities > intentionally. > > I guess an even worse example would be something like this: > > conn = openTlsConnection(host, port) > if not verifyCertChain(conn.getPeerCert()): > raise "Not a valid cert" > if conn.getPeerCert().getName() != expected_name: > raise "Name in certificate doesn't match" > # continue... > > Most TLS libraries seem to support both callback and get() style > functions for accessing/checking certificates. > > Although using the callback-style APIs might be more common (and in > some sence nicer, since it allows you to abort the handshake > a bit earlier -- but an app developer might not care about this very > much), I think it would be a surprise to most app developers that > using the get-style APIs might not be secure. > > (And I wouldn't be surprised at all if real applications using > those get() style APIs are found...) The get-style API is _the_only_ API that I provide to our applications. Besides, I'm coming from the GSS-API world, and there never was a callback API. If you think that get-style API is dangerous, then you seem to be quite unaware about the risks involved with some of the callback APIs (besides being difficult to use in distributed architectures). TLS peers should check the peer's ID before they start sending or receiving any data over the newly established TLS session. Apps protocols that infer from a successful TLS handshake that previously received plaintext data is authenticated suffer from a serious apps-level design flaw. Abusing GSS-API or TLS as an OTP plaintext authentication scheme is IMHO a severe APPS design flaw. The ability to complete a TLS handshake (or to establish a gssapi security context) does not, by itself, convey any kind of intent. Apps that infer intent from this, should really rethink their flawed architecture. -Martin
- [TLS] Summarizing identity change discussion so f… Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] Summarizing identity change discussion … Stephen Farrell
- Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Eric Rescorla
- Re: [TLS] Summarizing identity change discussion … Marsh Ray
- Re: [TLS] Summarizing identity change discussion … Marsh Ray
- Re: [TLS] Summarizing identity change discussion … Martin Rex
- Re: [TLS] Summarizing identity change discussion … Stefan Santesson
- Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Martin Rex
- Re: [TLS] Summarizing identity change discussion … Michael Gray
- Re: [TLS] Summarizing identity change discussion … Marsh Ray
- Re: [TLS] Summarizing identity change discussion … Martin Rex
- Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Marsh Ray
- Re: [TLS] Summarizing identity change discussion … Martin Rex
- Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Kyle Hamilton
- Re: [TLS] Summarizing identity change discussion … Martin Rex
- Re: [TLS] Summarizing identity change discussion … Marsh Ray
- Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Michael Gray
- Re: [TLS] Summarizing identity change discussion … Martin Rex
- Re: [TLS] Summarizing identity change discussion … Michael Gray
- Re: [TLS] Summarizing identity change discussion … Marsh Ray
- Re: [TLS] Summarizing identity change discussion … Martin Rex
- Re: [TLS] Summarizing identity change discussion … Michael Gray
- Re: [TLS] Summarizing identity change discussion … Kyle Hamilton
- [TLS] OpenPGP Certs for TLS [was: Re: Summarizing… Daniel Kahn Gillmor
- Re: [TLS] Summarizing identity change discussion … Martin Rex
- Re: [TLS] Summarizing identity change discussion … Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] Summarizing identity change discussion … Kyle Hamilton
- Re: [TLS] Summarizing identity change discussion … Martin Rex
- Re: [TLS] Summarizing identity change discussion … Kyle Hamilton
- Re: [TLS] Summarizing identity change discussion … Peter Saint-Andre
- Re: [TLS] Summarizing identity change discussion … Peter Saint-Andre
- Re: [TLS] Summarizing identity change discussion … Peter Saint-Andre
- Re: [TLS] Summarizing identity change discussion … Peter Saint-Andre
- Re: [TLS] Summarizing identity change discussion … David-Sarah Hopwood
- Re: [TLS] Summarizing identity change discussion … Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] Summarizing identity change discussion … Marsh Ray
- Re: [TLS] Summarizing identity change discussion … Joseph Salowey (jsalowey)
- Re: [TLS] Summarizing identity change discussion … Stephen Farrell
- Re: [TLS] Summarizing identity change discussion … Martin Rex
- Re: [TLS] Summarizing identity change discussion … Nelson B Bolyard
- Re: [TLS] Summarizing identity change discussion … Nasko Oskov
- Re: [TLS] Summarizing identity change discussion … David-Sarah Hopwood
- Re: [TLS] Summarizing identity change discussion … David-Sarah Hopwood
- Re: [TLS] Summarizing identity change discussion … Joseph Salowey (jsalowey)
- Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Joseph Salowey (jsalowey)