Re: [TLS] concers about draft-balfanz-tls-obc

Nico Williams <nico@cryptonector.com> Fri, 18 November 2011 22:35 UTC

DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc :content-type:content-transfer-encoding; q=dns; s= cryptonector.com; b=fC1vVZEHlgiOnUorJatHSz9aTx6fb/vOzQnkYzoB6WSW 0Ba0AJWF0anVZx99nw/CNwBTIqOsWOvjfutg01ufDV45ShFXb8Q9JpMv99lFfq5L FQH2eE5RfqbkUKDUKnoZkc7xQm0UJ2LPyqOuflZox1b8ck9BWRtl97BKLAkQb5M=
MIME-Version: 1.0
In-Reply-To: <OFC57A0976.6BDE818B-ON4825794C.0031B1B5-4825794C.00326539@zte.com.cn>
References: <OFC57A0976.6BDE818B-ON4825794C.0031B1B5-4825794C.00326539@zte.com.cn>
Date: Fri, 18 Nov 2011 16:34:57 -0600
Message-ID: <CAK3OfOi3P4ZJebfHN2WyGR5w3nDu35vy7wF7ZjbjGnpYg=mLuA@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: zhou.sujing@zte.com.cn
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: tls@ietf.org
Subject: Re: [TLS] concers about draft-balfanz-tls-obc
Precedence: list

On Fri, Nov 18, 2011 at 3:10 AM,  <zhou.sujing@zte.com.cn> wrote:
>    I don't think the origin-bound-certificate is meaningful.
>    The reasons are:
>    1. CA signed client certificate is used to authenticate the client user,
> now it is replaced by a self-signed certificate, how can a server trust or
> authenticate a self confirmed user?

It doesn't matter how the user is initially authenticated (password
POSTed in forms, user certs, doesn't matter).  As for the server, it
will only inspect the OBC in order to verify that it is the
certificate to which the cookies are bound.

>    2. If client authentication is not required, then there is neither need
> to send a self-signed certificate.

Client authentication is orthogonal to OBC.

OBC protects the session cookies from theft.  Let's say you steal my
session cookies somehow (e.g., via the BEAST attack): but if you don't
have my OBCs' private keys then you can't actually make use of my
cookies.

With OBC cookie theft is not enough.  With OBC the attacker must get
at the private keys for the OBCs.

Also, with OBC you get closer to true logout: destroy ("forget") your
OBC private keys and your sessions are as good as dead.  Moreover, the
user-agent, not the server, is in control of maximum session lifetime,
since there's no point in the server setting cookies that will outlive
the OBCs.  (The server can set cookie lifetimes shorter than OBC
lifetimes, of course, but not longer, and that's what's valuable here
to the user-agent.)

>    3. To the goal of bindling cookie with self-signed certificate, the
> ordinary CA signed certificates also work.

<snark>True, and the three users with commercial CA-issued
certificates will not be affected.</snark>

The non-snarky answer to this is above, in answer to (1).

********

Now, I've observed before, and will repeat here, that we could have a
cookie-to-TLS-session cryptographic binding that doesn't require the
use of any user certificates at all.  But in the end the effect would
be the same as with OBC, and the protocol design trade-offs in the two
approaches are are such that OBC is probably the path of least
resistance (specifically, binding to TLS sessions would effectively
require session resumption without server-side state to be widely
deployed).

Therefore I am a fan of OBC.  I expect OBC to happen, and it will
improve web security significantly.

Nico
--

[TLS] concers about draft-balfanz-tls-obc zhou.sujing
Re: [TLS] concers about draft-balfanz-tls-obc Nikos Mavrogiannopoulos
[TLS] 答复: Re: concers about draft-balfanz-tls-obc zhou.sujing
Re: [TLS] concers about draft-balfanz-tls-obc Nico Williams
Re: [TLS] concers about draft-balfanz-tls-obc Yoav Nir
Re: [TLS] concers about draft-balfanz-tls-obc Nico Williams