Re: [TLS] What would make TLS cryptographically better for TLS 1.3

Johannes Merkle <johannes.merkle@secunet.com> Tue, 05 November 2013 13:19 UTC

Return-Path: <Johannes.Merkle@secunet.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18C6211E81F3 for <tls@ietfa.amsl.com>; Tue, 5 Nov 2013 05:19:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.538
X-Spam-Level:
X-Spam-Status: No, score=-3.538 tagged_above=-999 required=5 tests=[AWL=0.061, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p+rQZZ6iNfdn for <tls@ietfa.amsl.com>; Tue, 5 Nov 2013 05:18:52 -0800 (PST)
Received: from a.mx.secunet.com (a.mx.secunet.com [195.81.216.161]) by ietfa.amsl.com (Postfix) with ESMTP id 0C29311E8167 for <tls@ietf.org>; Tue, 5 Nov 2013 05:18:50 -0800 (PST)
Received: from localhost (alg1 [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id CAE9A1A0075; Tue, 5 Nov 2013 14:18:47 +0100 (CET)
X-Virus-Scanned: by secunet
Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 7ofSroQi8qqy; Tue, 5 Nov 2013 14:18:46 +0100 (CET)
Received: from mail-srv1.secumail.de (unknown [10.53.40.200]) by a.mx.secunet.com (Postfix) with ESMTP id B2A271A0071; Tue, 5 Nov 2013 14:18:44 +0100 (CET)
Received: from [10.208.1.57] ([10.208.1.57]) by mail-srv1.secumail.de with Microsoft SMTPSVC(6.0.3790.4675); Tue, 5 Nov 2013 14:18:44 +0100
Message-ID: <5278F039.2060404@secunet.com>
Date: Tue, 05 Nov 2013 14:18:49 +0100
From: Johannes Merkle <johannes.merkle@secunet.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.1.0
MIME-Version: 1.0
To: Ralf Skyper Kaiser <skyper@thc.org>, mrex@sap.com
References: <CA+BZK2pZ=AFs5qw8dTbiV+s0KdSeFJH1-Z+UbaJZnQwHNgdXuA@mail.gmail.com> <20131105003652.5B7AF1AA54@ld9781.wdf.sap.corp> <CA+BZK2rG4L_+oMOQ3xBEogWNtrspeFM5cUJw9ciwtmEQpvgGjQ@mail.gmail.com>
In-Reply-To: <CA+BZK2rG4L_+oMOQ3xBEogWNtrspeFM5cUJw9ciwtmEQpvgGjQ@mail.gmail.com>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 05 Nov 2013 13:18:44.0917 (UTC) FILETIME=[8DE0FE50:01CEDA29]
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] What would make TLS cryptographically better for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Nov 2013 13:19:04 -0000

Ralf Skyper Kaiser schrieb am 05.11.2013 03:03:
> A securely configured TLS client would verify the certificate chain.
> 
> The server has no way to check if the TLS client is configured securely.
> The server blindly trusts the client that it is configured securely. That
> does not scale. Users make mistakes. Users will connect to a service not
> knowing that the connection is not secure (even over TLS) because they did
> not configure the TLS correctly.

I don't see the point. You are referring to a verification of the server's certificate by the client.
When a client identifies a server, what is the benefit for the server to ensure that the client performs the
identification in a proper way?

If the verification is not done properly by the client, the client may be susceptible to impersonation attacks on the
server side, i.e. may trust a malicious server pretending to be the honest server. If such a case occurs, i.e, if the
client has connected to a malicious server, what were the point in the honest server's checking the client's policy? In
such a case, the honest server is not even participating in the communication, and the malicious server, who is
participating in the communication, will certainly not insist on a strict client policy (not if he is a clever attacker,
at least).

So, what threat scenario is your requirement (of the server being able to verify the client's policy) addressing?

-- 
Johannes