Re: [TLS] draft-tuexen-dtls-for-sctp-00.txt

Michael Tuexen <Michael.Tuexen@lurchi.franken.de> Mon, 28 August 2006 20:53 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GHo6V-0008JI-Iz; Mon, 28 Aug 2006 16:53:07 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GHo6U-0008JC-CU for tls@ietf.org; Mon, 28 Aug 2006 16:53:06 -0400
Received: from stsc1260-eth-s1-s1p1-vip.va.neustar.com ([156.154.16.129] helo=chiedprmail1.ietf.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GHnZP-0003Wj-1f for tls@ietf.org; Mon, 28 Aug 2006 16:18:55 -0400
Received: from mail-n.franken.de ([193.175.24.27] helo=ilsa.franken.de) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1GHmeU-0005qH-O3 for tls@ietf.org; Mon, 28 Aug 2006 15:20:08 -0400
Received: from [192.168.1.3] (p5481FEBB.dip.t-dialin.net [84.129.254.187]) by ilsa.franken.de (Postfix) with ESMTP id 5EB06245D3; Mon, 28 Aug 2006 21:20:00 +0200 (CEST) (KNF account authenticated via SMTP-AUTH)
In-Reply-To: <AC1CFD94F59A264488DC2BEC3E890DE502580384@xmb-sjc-225.amer.cisco.com>
References: <AC1CFD94F59A264488DC2BEC3E890DE502580384@xmb-sjc-225.amer.cisco.com>
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <4572CCD5-382C-464B-A507-20D1084D6EAC@lurchi.franken.de>
Content-Transfer-Encoding: 7bit
From: Michael Tuexen <Michael.Tuexen@lurchi.franken.de>
Subject: Re: [TLS] draft-tuexen-dtls-for-sctp-00.txt
Date: Mon, 28 Aug 2006 21:19:59 +0200
To: Joseph Salowey (jsalowey) <jsalowey@cisco.com>
X-Mailer: Apple Mail (2.752.2)
X-Spam-Score: -2.6 (--)
X-Scan-Signature: 386e0819b1192672467565a524848168
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

Hi Joe,

(taking of the ADs from CC...)

thank you very much for the pointer. I'll look into it.

Best regards
Michael

On Aug 28, 2006, at 5:37 PM, Joseph Salowey (jsalowey) wrote:

> Hi Michael,
>
> In the context of extended EAP keying material, we have been  
> looking at
> the problem of deriving multiple keys from a single root in a
> coordinated fashion to avoid conflicts.  A similar approach may  
> work for
> TLS. I'm not sure that it makes sense to use the same details such as
> IANA registry or key derivation function, but it may.
>
> The current version of the draft is
> http://www.ietf.org/internet-drafts/draft-salowey-eap-emsk- 
> deriv-01.txt.
> Let me know if you have any questions.
>
> Cheers,
>
> Joe
>
>> -----Original Message-----
>> From: Michael Tuexen [mailto:Michael.Tuexen@lurchi.franken.de]
>> Sent: Monday, August 28, 2006 3:26 AM
>> To: tls@ietf.org
>> Cc: lars.eggert@netlab.nec.de; hartmans-ietf@mit.edu
>> Subject: [TLS] draft-tuexen-dtls-for-sctp-00.txt
>>
>> Dear all,
>>
>> I would like to get some comments on draft-tuexen-dtls-for-
>> sctp-00.txt. This includes
>>
>> - technical comments
>>    We would like to use the TLS master secret to generate an
>> additional shared secret which
>>    we would use at the transport layer (SCTP) for SCTP-AUTH.
>> It was already brought up,
>>    that this is a layer violation (but a nice one) and the
>> risk would be that multiple
>>    instances would do this, then these multiple instances
>> would use the same key material
>>    which is definitely bad.
>>    How should we progress here? From an implementation point
>> of view I see only a limited
>>    risk here, because we will modify the TLS implementation
>> to generate the additional
>>    material and would provide to to SCTP via a socket option.
>> So there is NOT API to the
>>    TLS user involved.
>>    Another point was to have something like a registry for
>> the material generated. This
>>    would avoid two instances to use the same material. What
>> about this? Is this a good or
>>    bad idea? How can we achieve this, if it is a good idea?
>>
>> - procedural advises (Sam, Lars this is why you are CCed)
>>    Currently this document is an individual submission. How
>> can it be progressed? Should
>>    it be taken to a WG? Which one? SCTP (including SCTP-AUTH)
>> is handled in TSVWG and
>>    TLS is handled in the TLS WG. I'm not sure where DTLS was
>> handled, if it was handled in
>>    any WG.
>>
>> I think having DTLS for SCTP is important because it is
>> needed by anyone using SCTP with PR-SCTP or unordered
>> delivery and wanting to have a TLS like security solution.
>> IPFIX is one example.
>>
>> Best regards
>> Michael
>>
>>
>>
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@lists.ietf.org
>> https://www1.ietf.org/mailman/listinfo/tls
>>
>


_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls