IETF Logo Mail Archive

Re: [TLS] matching identity, by default

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 01 December 2009 14:38 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 249183A6A0C for <tls@core3.amsl.com>; Tue, 1 Dec 2009 06:38:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.537
X-Spam-Level:
X-Spam-Status: No, score=-3.537 tagged_above=-999 required=5 tests=[AWL=0.062, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VhccoFSj+meA for <tls@core3.amsl.com>; Tue, 1 Dec 2009 06:38:30 -0800 (PST)
Received: from TX2EHSOBE007.bigfish.com (tx2ehsobe004.messaging.microsoft.com [65.55.88.14]) by core3.amsl.com (Postfix) with ESMTP id 43FBF3A6A26 for <tls@ietf.org>; Tue, 1 Dec 2009 06:38:30 -0800 (PST)
Received: from mail127-tx2-R.bigfish.com (10.9.14.250) by TX2EHSOBE007.bigfish.com (10.9.40.27) with Microsoft SMTP Server id 8.1.340.0; Tue, 1 Dec 2009 14:38:22 +0000
Received: from mail127-tx2 (localhost.localdomain [127.0.0.1]) by mail127-tx2-R.bigfish.com (Postfix) with ESMTP id C7C151548480; Tue, 1 Dec 2009 14:38:22 +0000 (UTC)
X-SpamScore: -6
X-BigFish: VPS-6(zz98dNzz1202hzzz2dh87h6bh61h)
X-Spam-TCS-SCL: 0:0
X-FB-DOMAIN-IP-MATCH: fail
Received: from mail127-tx2 (localhost.localdomain [127.0.0.1]) by mail127-tx2 (MessageSwitch) id 1259678290183327_31082; Tue, 1 Dec 2009 14:38:10 +0000 (UTC)
Received: from TX2EHSMHS004.bigfish.com (unknown [10.9.14.235]) by mail127-tx2.bigfish.com (Postfix) with ESMTP id 9BD4A1C4004F; Tue, 1 Dec 2009 14:38:09 +0000 (UTC)
Received: from imx2.tcd.ie (134.226.1.156) by TX2EHSMHS004.bigfish.com (10.9.99.104) with Microsoft SMTP Server id 14.0.482.32; Tue, 1 Dec 2009 14:38:05 +0000
Received: from Vams.imx2 (imx2.tcd.ie [134.226.1.156]) by imx2.tcd.ie (Postfix) with SMTP id E483668005; Tue, 1 Dec 2009 14:38:04 +0000 (GMT)
Received: from imx2.tcd.ie ([134.226.1.156]) by imx2.tcd.ie ([134.226.1.156]) with SMTP (gateway) id A05A88E07E5; Tue, 01 Dec 2009 14:38:04 +0000
Received: from [134.226.36.180] (sfarrell.dsg.cs.tcd.ie [134.226.36.180]) by imx2.tcd.ie (Postfix) with ESMTP id D629D68007; Tue, 1 Dec 2009 14:38:04 +0000 (GMT)
Message-ID: <4B152A4C.9070702@cs.tcd.ie>
Date: Tue, 01 Dec 2009 14:38:04 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Thunderbird 2.0.0.23 (X11/20090812)
MIME-Version: 1.0
To: James Manger <james@manger.com.au>
References: <C2329F9D-F5EF-4E8B-9EE8-ED246D7B7287@manger.com.au>
In-Reply-To: <C2329F9D-F5EF-4E8B-9EE8-ED246D7B7287@manger.com.au>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-AntiVirus-Status: MessageID = A15A88E07E5
X-AntiVirus-Status: Host: imx2.tcd.ie
X-AntiVirus-Status: Action Taken:
X-AntiVirus-Status: NONE
X-AntiVirus-Status: Checked by TCD Vexira. (version=1.60.2 VDF=10.114.5)
X-Reverse-DNS: imx2.tcd.ie
Cc: tls@ietf.org
Subject: Re: [TLS] matching identity, by default
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2009 14:38:31 -0000

James Manger wrote:
> I strongly support the consistent identity check in the Security Considerations section of draft-ietf-tls-renegotiation-01.

Fair enough.

> There may be some niche uses of TLS for which changing an identity during renegotiation makes sense. That is adequately supported by the last paragraph in the Security Considerations: "A TLS library MAY provide a means for the application to allow identity and/or server_name changes across renegotiations...". However, for 99.9...% of TLS uses an identity changing during renegotiation will be totally unexpected by the higher-layer application and can only cause problems.

I'd buy that.

> A few people have argued that the consistent identity check is a separate issue that should not be addressed now. I don't think that is a fair characterisation. 

I'm not sure what you mean by "characterisation."

My point was simply that this *is* a different issue from the
renegotiation bug, that we're fixing that bug in "emergency"
mode and that we therefore shouldn't change *anything* else
whilst in that mode.

To give one example - rfc 2712 says how to use kerberos with
TLS. (I've no idea if that's really in use.) The text in -01
doesn't say how to handle that, but does have a MUST on
no-change. That could break something. I don't want to hold
the bug fix while we figure that out.

I just thinks its safer to do this later with some other draft
that UPDATEs 5246.

Stephen.

v2.23.0 | Report a Bug | By Email