Re: [TLS] First TLS cached information draft posted
Min Huang <huangmin123@huaweisymantec.com> Wed, 10 June 2009 06:59 UTC
Return-Path: <huangmin123@huaweisymantec.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EAA233A6933 for <tls@core3.amsl.com>; Tue, 9 Jun 2009 23:59:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pGBZGd3KQzMg for <tls@core3.amsl.com>; Tue, 9 Jun 2009 23:59:42 -0700 (PDT)
Received: from mta2.huaweisymantec.com (mta2.huaweisymantec.com [218.17.155.15]) by core3.amsl.com (Postfix) with ESMTP id D8F8F3A659C for <tls@ietf.org>; Tue, 9 Jun 2009 23:59:41 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; charset="us-ascii"
Received: from hstml01-in.huaweisymantec.com ([172.26.3.42]) by hstga02-in.huaweisymantec.com (Sun Java(tm) System Messaging Server 6.3-8.03 (built Apr 24 2009; 32bit)) with ESMTP id <0KL00086QGRH7R10@hstga02-in.huaweisymantec.com> for tls@ietf.org; Wed, 10 Jun 2009 14:59:41 +0800 (CST)
Received: from h00104745 ([10.27.154.144]) by hstml01-in.huaweisymantec.com (Sun Java(tm) System Messaging Server 6.3-8.03 (built Apr 24 2009; 32bit)) with ESMTPA id <0KL000CGBGREES10@hstml01-in.huaweisymantec.com> for tls@ietf.org; Wed, 10 Jun 2009 14:59:41 +0800 (CST)
From: Min Huang <huangmin123@huaweisymantec.com>
To: simon@josefsson.org
Date: Wed, 10 Jun 2009 14:59:38 +0800
Message-id: <001901c9e999$05678bf0$909a1b0a@china.huawei.com>
X-Mailer: Microsoft Office Outlook 11
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
Thread-index: AcnpmQUPyeIL+L8CQ8a08xgkj0dS+w==
X-Mailman-Approved-At: Wed, 10 Jun 2009 06:20:29 -0700
Cc: tls@ietf.org
Subject: Re: [TLS] First TLS cached information draft posted
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jun 2009 06:59:43 -0000
Hi,Simon This "heuristic" determination works well in most scenarioes, but the client still be confused in some specific cases. I think adding a type-specific tag as you mentioned is a doable method, and it can solve the problems by now. And if we will construct a type-specific tag, the new "datasize" field in CachedInformationHash is still necessary? It seems not necessary any more. It can be a policy conformed by the client when caching data or sending a CachedObject. regards, Min >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> simon wrote: Here is a modified idea. Replace the CachedInformationHash with this structure: struct { HashAlgorithm hash; uint32 datasize; /* NEW. Size of hashed data. MUST be >= 4 * hashsize(hash) */ opaque hash_value<0..255>; } CachedInformationHash; The server respond by indicating whether it supports cached data in principle, but defers until later in the handshake to decide whether to replace data or not. This addresses Martin's concern. Then add text to say that datasize MUST be >= 4 * hashsize(hash) where hashsize is the hash output size, i.e., 20 for SHA-1. Smaller objects cannot be cached with this extension. The server can decide, when constructing later handshake packets, whether to replace the generated data with a hash or not. Typically, the server would generate the data as normal. Then if the client provided a cache extension type for the object, it will compare a hash of the generated data with the hash provided by the client. If they match, it will send the CachedInformationHash value instead of the generated data. The client parses the response, and can by looking at the size of each object decide whether it is a hash or real data. This runs into a problem if the server instead of returning a hash returned data that was considerably smaller than the value cached by the client. The client could then be confused whether the returned data is real data or a hash value. A type-specific tag could be constructed here -- for both certificate_list and certificate_authorities it could be some invalid ASN.1 followed by the CachedInformationHash. This is a compromise, but it seems difficult to solve both Martin's concern and my concern that clients needs to reliably be able to decode incoming data. Better ideas welcome. /Simon
- Re: [TLS] First TLS cached information draft post… Stefan Santesson
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Stefan Santesson
- Re: [TLS] First TLS cached information draft post… Martin Rex
- [TLS] First TLS cached information draft posted Stefan Santesson
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Stefan Santesson
- Re: [TLS] First TLS cached information draft post… Stefan Santesson
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Martin Rex
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Martin Rex
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Martin Rex
- Re: [TLS] First TLS cached information draft post… Martin Rex
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Min Huang
- Re: [TLS] First TLS cached information draft post… Min Huang
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Martin Rex
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Stefan Santesson
- Re: [TLS] First TLS cached information draft post… Stefan Santesson
- Re: [TLS] First TLS cached information draft post… Stefan Santesson
- Re: [TLS] First TLS cached information draft post… Stefan Santesson
- Re: [TLS] First TLS cached information draft post… Martin Rex
- Re: [TLS] First TLS cached information draft post… Martin Rex
- Re: [TLS] First TLS cached information draft post… Stefan Santesson
- Re: [TLS] First TLS cached information draft post… Stefan Santesson