IETF Logo Mail Archive

Re: [TLS] First TLS cached information draft posted

Stefan Santesson <stefan@aaa-sec.com> Tue, 16 June 2009 15:11 UTC

Return-Path: <stefan@aaa-sec.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 522FC3A6D8C for <tls@core3.amsl.com>; Tue, 16 Jun 2009 08:11:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.179
X-Spam-Level:
X-Spam-Status: No, score=-2.179 tagged_above=-999 required=5 tests=[AWL=0.070, BAYES_00=-2.599, HELO_EQ_SE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rAFSRILBib7q for <tls@core3.amsl.com>; Tue, 16 Jun 2009 08:11:14 -0700 (PDT)
Received: from s87.loopia.se (s87.loopia.se [194.9.95.112]) by core3.amsl.com (Postfix) with ESMTP id 056383A6D69 for <tls@ietf.org>; Tue, 16 Jun 2009 08:11:13 -0700 (PDT)
Received: (qmail 74325 invoked from network); 16 Jun 2009 15:09:58 -0000
Received: from s34.loopia.se (HELO s24.loopia.se) ([194.9.94.70]) (envelope-sender <stefan@aaa-sec.com>) by s87.loopia.se (qmail-ldap-1.03) with AES256-SHA encrypted SMTP for <tls@ietf.org>; 16 Jun 2009 15:09:58 -0000
Received: (qmail 29385 invoked from network); 16 Jun 2009 15:09:52 -0000
Received: from 213-64-142-21-no153.business.telia.com (HELO [192.168.0.17]) (stefan@fiddler.nu@[213.64.142.21]) (envelope-sender <stefan@aaa-sec.com>) by s24.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for <huangmin123@huaweisymantec.com>; 16 Jun 2009 15:09:52 -0000
User-Agent: Microsoft-Entourage/12.19.0.090515
Date: Tue, 16 Jun 2009 17:09:52 +0200
From: Stefan Santesson <stefan@aaa-sec.com>
To: Min Huang <huangmin123@huaweisymantec.com>
Message-ID: <C65D8260.2A79%stefan@aaa-sec.com>
Thread-Topic: [TLS] First TLS cached information draft posted
Thread-Index: AcnpmKU3A6jU6q9xQxOJfsECPeRUeQE+9phM
In-Reply-To: <001801c9e998$a58b4b40$909a1b0a@china.huawei.com>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] First TLS cached information draft posted
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jun 2009 15:11:15 -0000

Ming and Simon,

As you both seems to have misunderstood what I intended to say here.

What I currently think is the correct way is to include just one
CachedObject structure for each cached information type (e.g. One for
certificate data and one for CA names).

This CachedObject stucture may contain any number of hashes. This might be
hashes using different algorithms over the same object or it may be hashes
of the same kind over different objects (e.g. multiple acceptble certs). It
is just an unordered list of hashes.

The server now takes the data it intended to send. And compute the hash over
that data with as many algorithms it can out of the algorithms used by the
client. If one of the received hashes matches one of the generated hashes,
the match is accepted and the server will return one of the matching hashes
as acceptance of the cache (data replacement).

This is at least how it was intended in the current draft.

This is to me still the simplest, cleanest and easiest approach.

/Stefan



On 09-06-10 8:56 AM, "Min Huang" <huangmin123@huaweisymantec.com> wrote:

> Hi, Stefan
> 
> You said:
> "1) Is it allowed to send over multiple CachedObject elements
> containing the same type identifier?
> Proposed answer = No (you can already include multiple hashes
> for each type)"
> 
> It means that the number of the cached certificate is one or
> it means the hash values of all cached certificates are contained
> in one CachedObject of the same type?
> 
> 
> regards,
> Min
> 
> 
> 
> 
>>>>>>>>>>>> 
> 
> I think I have to try to clarify this
> 
> The client send a cached_information extension which contains a list of
> CachedObject structures.
> 
> Each ChachedObject element contains:
> 
> - type identifier (CachedInformationType type)
> - a list of hash values (CachedInformationHash hashes)
> 
> Each CachedInformationHash contains:
> 
> - Algorithm identifier (HashAlgorithm hash)
> - Hash value (opaque hash_value)
> 
> 
> 
> There are a number of issues that need to be specified or clarified in the
> draft:
> 
> 1) Is it allowed to send over multiple CachedObject elements containing the
> same type identifier?
> 
> Proposed answer = No (you can already include multiple hashes for each type)
> 
> 
> 2) What should the server return in its server hello message for each
> acceptable CachedObject?
> 
> Alternative 1 = The CachedObject element, exactly as it was received by the
> client (with all hashes)
> 
> Alternative 2 = The CachedObject element, but only containing the
> CachedInformationHash elements that is recognize and support.
> 
> Proposed answer = Alternative 1 (This allows the server to say YES in
> principle without analyzing the hash values at the time of Hello exchange)
> 
> 
> 3) Is the server REQUIRED to honor its support of a CachedObject by
> replacing the identified handshake data with a received hash?
> 
> Proposed answer = NO (for reasons raised by Martin)
> 
> 
> 4) What does the server send as replacement for the replaced handshake data?
> 
> Proposed answer = One opaque hash_value (without hash type identifier) that
> was received by the client, which MUST contain a valid hash over the
> replaced data.
> 
> 
> 
> Do you agree?
> 
> /Stefan
> 
> 
>

v2.23.0 | Report a Bug | By Email