Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Marsh Ray <marsh@extendedsubset.com> Tue, 10 November 2009 18:01 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B0C413A6B5B for <tls@core3.amsl.com>; Tue, 10 Nov 2009 10:01:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.478
X-Spam-Level:
X-Spam-Status: No, score=-2.478 tagged_above=-999 required=5 tests=[AWL=0.121, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lMIIK9FZIk3Z for <tls@core3.amsl.com>; Tue, 10 Nov 2009 10:01:45 -0800 (PST)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id DAFA53A6B5C for <tls@ietf.org>; Tue, 10 Nov 2009 10:01:45 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1N7v2i-000C0h-Nk; Tue, 10 Nov 2009 18:02:12 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id D91CD6678; Tue, 10 Nov 2009 18:02:10 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1+mCnn7FQbhfC4N59CRxTbaAuHR4zRu/+o=
Message-ID: <4AF9AA9E.8030603@extendedsubset.com>
Date: Tue, 10 Nov 2009 12:02:06 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Nicolas Williams <Nicolas.Williams@sun.com>
References: <006FEB08D9C6444AB014105C9AEB133FB36A4EBF03@il-ex01.ad.checkpoint.com> <200911092152.nA9LqVkW000963@fs4113.wdf.sap.corp> <20091109223417.GK1105@Sun.COM> <4AF8E755.5020208@extendedsubset.com> <20091110164609.GS1105@Sun.COM>
In-Reply-To: <20091110164609.GS1105@Sun.COM>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2009 18:01:46 -0000
Nicolas Williams wrote: > On Mon, Nov 09, 2009 at 10:08:53PM -0600, Marsh Ray wrote: > > TLS connections are not so long lived But there is no defined upper limit. > that we should worry about issues > such as, for example, public key rollover or certificate expiration > during a connection's lifetime. I agree, but we should probably check that it's documented somewhere. > Therefore a simple Certificate octet- > for-octet comparison will do for identity comparison. Anything more > complicated than that (and anon->non-anon) would make Martin's proposal > too unqieldy to consider at this point, and possibly ever. So this restriction would not apply when another auth type is used? >> Isn't that one of the major uses of renegotiation? To change identity? > > But only from anonymous to non-anonymous, right? That's also easy to > specify. One subtlety is that apps (https servers) are still expecting the transition to preserve some guarantees about identity. Even though the first session is "anonymous" it still has an identity, namely it has to be the same party as all previous non-anonymous sessions on the same connection. The proposed Renegotiation Indication extension attempts to enforce those guarantees, but I'm not sure it's so easy to specify that it shouldn't be given a lot of thought. (Consider what happens when you add various combinations of resumption into the mix.) > Ordering cipher suites by strength is a complex > topic that I'd rather avoid for the specific enhancement that Martin > proposes. Perhaps ordering levels of authentication is equally complex. >> Would that make it illegal to resume a previous session over the same >> underlying connection if it could not be proven it was "the same" identity? > > There's no authentication during session resumption handshakes -- > there's only proving that both peers remember the relevant state, > including master secret. Isn't proving "I'm the same as that other guy" a form of authentication? Surely this will be allowed: |--- session A anon ---||-- resumed A --| Is this allowed? |--- session A anon ---| |--- session B anon ---||-- resumed A --| I have heard that browsers may do this. >> What if the session's identity were strengthened? Could you end up in a >> situation where a session could be resumed on any of several other >> connections except the one on which it originated! > > I'm not sure I follow. See above. 1 |--- session A anon ---||-- session B client cert auth --| 2 |--- session C anon -----| 3 |--- session D anon -----------| 4 |--- session E anon -----| Would an effect of the proposal be that session A can be resumed on connections (2, 3, 4) but not 1? - Marsh
- [TLS] draft-rescorla-tls-renegotiate and MITM res… Yair Elharrar
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yoav Nir
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Marsh Ray
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yoav Nir
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Dr Stephen Henson
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yair Elharrar
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yoav Nir
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Nicolas Williams
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… David-Sarah Hopwood
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… David-Sarah Hopwood
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yair Elharrar
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Marsh Ray
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yoav Nir
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Marsh Ray
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Nicolas Williams
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Marsh Ray
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… David-Sarah Hopwood
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Michael D'Errico
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Nicolas Williams
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Marsh Ray
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Nicolas Williams
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Steve Dispensa
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… David-Sarah Hopwood
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Peter Saint-Andre
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Marsh Ray
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yoav Nir
- Re: [TLS] To API or not Bill Frantz
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Michael D'Errico
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- [TLS] RC4+3DES rekeying - long-lived TLS connecti… Martin Rex
- Re: [TLS] RC4+3DES rekeying - long-lived TLS conn… David-Sarah Hopwood
- Re: [TLS] RC4+3DES rekeying - long-lived TLS conn… Peter Saint-Andre