Re: [TLS] TLS-OBC proposal

Nikos Mavrogiannopoulos <> Sun, 04 September 2011 17:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 55D7921F8661 for <>; Sun, 4 Sep 2011 10:30:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.569
X-Spam-Status: No, score=-3.569 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bgs5rfuOFzkO for <>; Sun, 4 Sep 2011 10:30:29 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 9877221F856A for <>; Sun, 4 Sep 2011 10:30:29 -0700 (PDT)
Received: by wyg8 with SMTP id 8so3816771wyg.31 for <>; Sun, 04 Sep 2011 10:32:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=ohT1bTcPnBZFv5RLpoFIiSdWoMGOnZs1LUJtygcNsgw=; b=xeEhaqqT0YZV7LgULvOddoRUUHkDJXORvHUMGt7+8P3hiEouDZf2HHcJpqNcRChptL 4r8YpDBuECVyojC9Kq9OVNuZ48OqefzVsULwK8Nh7GiJDXW1Qo54cDeB7kE+eg8sDRyN zKk72C4FryDbVB05mnVX1uM8hkWOmZZEC+a7c=
Received: by with SMTP id w9mr3007800wbx.28.1315157531036; Sun, 04 Sep 2011 10:32:11 -0700 (PDT)
Received: from [] ( []) by with ESMTPS id n12sm5521352wbp.7.2011. (version=SSLv3 cipher=OTHER); Sun, 04 Sep 2011 10:32:10 -0700 (PDT)
Sender: Nikos Mavrogiannopoulos <>
Message-ID: <>
Date: Sun, 04 Sep 2011 19:32:20 +0200
From: Nikos Mavrogiannopoulos <>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv: Gecko/20110820 Icedove/3.1.12
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] TLS-OBC proposal
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 04 Sep 2011 17:30:30 -0000

On 09/04/2011 06:42 PM, Anders Rundgren wrote:

> If I OTOH have go the session-stuff wrong, please just ignore my
> ignorant comments.  FWIW, I have developed an app-level CCA
> (Client-Certificate Authentication) mechanism derived from the
> numerous proprietary solutions out there.
>If you come up with a generic solution, I will gladly retire it!
> Traditional TLS-CCA sucks, and logout is by no means "a subtle UI
> problem"; it goes to the core.

The problem is layer mixing. I believe you understand that TLS
authentication is about authentication of the TLS session and not the
HTTP session which is on a layer above. If you naively use the TLS
authentication for HTTP authentication you have the issues current
applications face. TLS-OBC as I understand it, ties better the HTTP and
TLS certificate authentication to prevent the issues currently seen. The
advantage is that it re-uses the existing mechanisms.

I cannot read your approach in the xml file, but I understand that you
moved authentication to the application layer. This is an alternative