Re: [TLS] TLS-OBC proposal

Nikos Mavrogiannopoulos <nmav@gnutls.org> Sun, 04 September 2011 17:30 UTC

Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55D7921F8661 for <tls@ietfa.amsl.com>; Sun, 4 Sep 2011 10:30:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.569
X-Spam-Level:
X-Spam-Status: No, score=-3.569 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bgs5rfuOFzkO for <tls@ietfa.amsl.com>; Sun, 4 Sep 2011 10:30:29 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id 9877221F856A for <tls@ietf.org>; Sun, 4 Sep 2011 10:30:29 -0700 (PDT)
Received: by wyg8 with SMTP id 8so3816771wyg.31 for <tls@ietf.org>; Sun, 04 Sep 2011 10:32:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=ohT1bTcPnBZFv5RLpoFIiSdWoMGOnZs1LUJtygcNsgw=; b=xeEhaqqT0YZV7LgULvOddoRUUHkDJXORvHUMGt7+8P3hiEouDZf2HHcJpqNcRChptL 4r8YpDBuECVyojC9Kq9OVNuZ48OqefzVsULwK8Nh7GiJDXW1Qo54cDeB7kE+eg8sDRyN zKk72C4FryDbVB05mnVX1uM8hkWOmZZEC+a7c=
Received: by 10.227.162.201 with SMTP id w9mr3007800wbx.28.1315157531036; Sun, 04 Sep 2011 10:32:11 -0700 (PDT)
Received: from [10.100.2.14] (94-225-167-75.access.telenet.be [94.225.167.75]) by mx.google.com with ESMTPS id n12sm5521352wbp.7.2011.09.04.10.32.09 (version=SSLv3 cipher=OTHER); Sun, 04 Sep 2011 10:32:10 -0700 (PDT)
Sender: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Message-ID: <4E63B624.4090509@gnutls.org>
Date: Sun, 04 Sep 2011 19:32:20 +0200
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.20) Gecko/20110820 Icedove/3.1.12
MIME-Version: 1.0
To: tls@ietf.org
References: <CADHfa2AMOeShxH_k5ZEB3DUVJAnOqvZmLMg5Yz8smtBDGkQsNg@mail.gmail.com> <4E63AA87.5070602@telia.com>
In-Reply-To: <4E63AA87.5070602@telia.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] TLS-OBC proposal
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Sep 2011 17:30:30 -0000

On 09/04/2011 06:42 PM, Anders Rundgren wrote:

> If I OTOH have go the session-stuff wrong, please just ignore my
> ignorant comments.  FWIW, I have developed an app-level CCA
> (Client-Certificate Authentication) mechanism derived from the
> numerous proprietary solutions out there.
> http://code.google.com/p/openkeystore/source/browse/trunk/library/src/org/webpki/wasp/webauth.xsd
>
>If you come up with a generic solution, I will gladly retire it!
> Traditional TLS-CCA sucks, and logout is by no means "a subtle UI
> problem"; it goes to the core.

The problem is layer mixing. I believe you understand that TLS
authentication is about authentication of the TLS session and not the
HTTP session which is on a layer above. If you naively use the TLS
authentication for HTTP authentication you have the issues current
applications face. TLS-OBC as I understand it, ties better the HTTP and
TLS certificate authentication to prevent the issues currently seen. The
advantage is that it re-uses the existing mechanisms.

I cannot read your approach in the xml file, but I understand that you
moved authentication to the application layer. This is an alternative
approach.

regards,
Nikos