IETF Logo Mail Archive

Re: [TLS] COMMENT: draft-ietf-tls-renegotiation

<Pasi.Eronen@nokia.com> Tue, 15 December 2009 09:41 UTC

Return-Path: <Pasi.Eronen@nokia.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BFA5E3A697D; Tue, 15 Dec 2009 01:41:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.549
X-Spam-Level:
X-Spam-Status: No, score=-6.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BK-DUKfKMdYD; Tue, 15 Dec 2009 01:41:00 -0800 (PST)
Received: from mgw-mx09.nokia.com (smtp.nokia.com [192.100.105.134]) by core3.amsl.com (Postfix) with ESMTP id F043A3A67DD; Tue, 15 Dec 2009 01:40:59 -0800 (PST)
Received: from vaebh105.NOE.Nokia.com (vaebh105.europe.nokia.com [10.160.244.31]) by mgw-mx09.nokia.com (Switch-3.3.3/Switch-3.3.3) with ESMTP id nBF9eUJG009198; Tue, 15 Dec 2009 03:40:45 -0600
Received: from vaebh102.NOE.Nokia.com ([10.160.244.23]) by vaebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 15 Dec 2009 11:40:41 +0200
Received: from smtp.mgd.nokia.com ([65.54.30.5]) by vaebh102.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Tue, 15 Dec 2009 11:40:18 +0200
Received: from NOK-EUMSG-01.mgdnok.nokia.com ([65.54.30.86]) by nok-am1mhub-01.mgdnok.nokia.com ([65.54.30.5]) with mapi; Tue, 15 Dec 2009 10:40:17 +0100
From: Pasi.Eronen@nokia.com
To: DPKemp@missi.ncsc.mil
Date: Tue, 15 Dec 2009 10:40:16 +0100
Thread-Topic: [TLS] COMMENT: draft-ietf-tls-renegotiation
Thread-Index: Acp88pVXS8ladKwGSVWs8F1ytseEeAAAyHZwABzeJzA=
Message-ID: <808FD6E27AD4884E94820BC333B2DB774F31F16A04@NOK-EUMSG-01.mgdnok.nokia.com>
References: <20091214191959.427A53A6A27@core3.amsl.com> <200912142101.nBEL1Vle026550@stingray.missi.ncsc.mil>
In-Reply-To: <200912142101.nBEL1Vle026550@stingray.missi.ncsc.mil>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 15 Dec 2009 09:40:18.0194 (UTC) FILETIME=[9CAB0720:01CA7D6A]
X-Nokia-AV: Clean
Cc: tls@ietf.org, iesg@ietf.org
Subject: Re: [TLS] COMMENT: draft-ietf-tls-renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Dec 2009 09:41:00 -0000

David P. Kemp wrote:
> Could a special-purpose identity protection handshake be defined in
> a manner that is both simpler and safer than full renegotiation?

A couple of years ago, there was a proposal to specify new cipher
suites that build identity protection into the handshake
(draft-hajjeh-tls-identity-protection), and a proposal that used
extensions (draft-urien-badra-eap-tls-identity-protection).

But these don't solve what's AFAIK the main use case for 
renegotiation today: a HTTPS server that doesn't know whether it 
needs client authentication or not until it sees the URL.

Of course, it is not impossible to solve this without renegotiation:
one obvious way would be HTTP 401 response + a new HTTP header that
means "please retry with TLS client authentication". (I haven't
really thought about this, so I'm not saying this would necessarily
be a good idea.)

Best regards,
Pasi
(not wearing any hats)

v2.23.0 | Report a Bug | By Email