Re: [TLS] Review of PR #209

Daniel Kahn Gillmor <> Mon, 21 September 2015 15:38 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 270D01B332E for <>; Mon, 21 Sep 2015 08:38:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AGEXJFMEzrg2 for <>; Mon, 21 Sep 2015 08:38:51 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 970301B3331 for <>; Mon, 21 Sep 2015 08:38:50 -0700 (PDT)
Received: from (unknown []) by (Postfix) with ESMTPSA id D43C1F985; Mon, 21 Sep 2015 11:38:48 -0400 (EDT)
Received: by (Postfix, from userid 1000) id A9617203AE; Mon, 21 Sep 2015 10:22:34 -0400 (EDT)
From: Daniel Kahn Gillmor <>
To: Karthikeyan Bhargavan <>
In-Reply-To: <>
References: <> <> <20150916153041.GA14682@LK-Perkele-VII> <> <> <>
User-Agent: Notmuch/0.20.2 ( Emacs/24.5.1 (x86_64-pc-linux-gnu)
Date: Mon, 21 Sep 2015 07:22:34 -0700
Message-ID: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Review of PR #209
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 21 Sep 2015 15:38:52 -0000

On Sun 2015-09-20 22:38:45 -0700, Karthikeyan Bhargavan <> wrote:
> As dkg points out, dynamically authenticating clients later in the connection brings up
> API issues of how to notify the application about the scope of this new authentication event.
> I think it is inevitable that implementation will store the client credential in the session, and
> that the new (authenticated) stream of data will be concatenated to the older (unauthenticated) stream.
> Both of these design choices will lead to the following answers to dkg’s questions:
> (a) all messages in TLS sessions (past and present) will be attested to by every certificate
> (b) all traffic in earlier and future resumed sessions will be attested to by every certificate
> In other words, if we do allow this change to client authentication, to be safe, we must analyze the
> resulting protocol *as if* applications will use the authentication event to attest to all
> data, past and present, that may be associated with the data in the current connection.

But this combination is pretty weird for servers to deal with.  For

Consider a server has an ongoing session wrapped in TLS that uses client
authentication to approve or deny some requests from the client.  It
remembers what requests the client has made as some sort of relevant
state.  Let's take an imap server working with a client that has state
of a "currently-examined folder", but this applies to servers and
clients with much more complex state as well.

The client is currently examining folder Y.

Some client identities *do not* have authorization to visit folder X.
others do.

The client requests a change to folder X.

The server rejects the change.

The client subsequently authenticates to an identity that is authorized
to access folder X.

What is the currently-examined folder for this session?

The "easy" (and right) answer here is "folder Y, of course" -- but
telling peers that the authentication should apply retroactively to all
previous data sent suggests that maybe it should be folder X.

This is confusing.  Confusing semantics are bound to lead to problematic
implementations and usage :(

Sorry that this mail doesn't have a better suggestion to offer.