IETF Logo Mail Archive

Re: [TLS] Call for Consensus on removal of renegotiation

Brian Hamon <B.Hamon@F5.com> Thu, 26 June 2014 21:19 UTC

Return-Path: <B.Hamon@f5.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C8751B2F2C for <tls@ietfa.amsl.com>; Thu, 26 Jun 2014 14:19:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.552
X-Spam-Level:
X-Spam-Status: No, score=-7.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E4eA2RHQw1nA for <tls@ietfa.amsl.com>; Thu, 26 Jun 2014 14:18:59 -0700 (PDT)
Received: from mail.f5.com (mail.f5.com [208.85.209.139]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A994A1B2F14 for <tls@ietf.org>; Thu, 26 Jun 2014 14:18:59 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.97,830,1389744000"; d="scan'208";a="119746832"
X-IPAS-Result: AqQEADD7RVPAqArr/2dsb2JhbABQCYNBV7xBHYc1gTd0giUBAQEBAwEBARodNAsMBAIBCBEEAQEBChQJBycLFAkIAgQBDQUIE4duzBATBI4RKjEHBoMegRQElHGZX4Ir
Received: from oracle-apps.f5net.com (HELO exchmail.f5net.com) ([192.168.10.235]) by seamgw02.olympus.f5net.com with ESMTP; 26 Jun 2014 21:19:00 +0000
Received: from SEAEMBX02.olympus.F5Net.com ([fe80::a5e3:d11c:e46a:e7c7]) by seaecas02.olympus.F5Net.com ([::1]) with mapi id 14.03.0181.006; Thu, 26 Jun 2014 14:18:58 -0700
From: Brian Hamon <B.Hamon@F5.com>
To: "mrex@sap.com" <mrex@sap.com>, "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
Thread-Topic: [TLS] Call for Consensus on removal of renegotiation
Thread-Index: AQHPkKQi2ibdHwQZAU+UoLazXGbTxJuCn8+AgAAVNgCAATV4AP//97oQ
Date: Thu, 26 Jun 2014 21:18:58 +0000
Message-ID: <CE5218A410D7774BA10C7A54F8BB4D305EBAC9@SEAEMBX02.olympus.F5Net.com>
References: <B7430912-46B8-49DD-85EC-00FC5BC3B8D3@cisco.com> <20140626143044.F3B0C1AD68@ld9781.wdf.sap.corp>
In-Reply-To: <20140626143044.F3B0C1AD68@ld9781.wdf.sap.corp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.16.236]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/RwJpKe_G8EdpJQi8B0YFPbxJM_g
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Call for Consensus on removal of renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jun 2014 21:19:01 -0000

Over the past week, I've been watching for an answer to the question posed regarding how we deal with the situation where the server must examine some Application Data messages in order to determine whether client authentication is required.

Presently, this situation is handled by allowing an unauthenticated client to send some Application Data, then if client authentication is required, it will send a HelloRequest, starting renegotiation. During the subsequent handshake, the server sends a CertificateRequest and drops the connection if the client fails to authenticate and authorize.

I've seen the following concerns raised with this approach:

1) How does the client authentication persist (or not persist) in the face of session resumption?

2) If the answer to #1 is that yes, the authentication persists, then does the most-recently-supplied identity replace or aggregate with previous identities presented in the same session?

I worked through a number of possible alternatives where we separate client authentication completely from the handshake, and I think the solution lies down this path; however, before digging into those details, let me ask for the group's consensus on the two questions posed above.

I would argue that session resumption should revert the client's identity back to "unauthenticated". This avoids a lot of the complicated workarounds required for #2.


-----Original Message-----
From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Martin Rex
Sent: Thursday, June 26, 2014 7:31 AM
To: Joseph Salowey (jsalowey)
Cc: <tls@ietf.org>
Subject: Re: [TLS] Call for Consensus on removal of renegotiation

Joseph Salowey (jsalowey) wrote:
> 
> 1.  In favor of removing renegotiation 2.  In favor of removing 
> renegotiation with the addition of rekey facility 3.  Not in favor of 
> removing renegotiation
 

(3) Leave it in the spec,  Make it a true option for implementors.
    with a guidance that clients might need it for interop, but should
    play safe (and nail down identities once they're established) by default


I never offered/exposed renegotiation at the API to application callers, and since January 2010, I have the server-side reject renegotiation attempts from clients.  But the installed base of _other_ servers that use (or require) it is to large to be ignored, and I don't see it go away that easily...

Everything that you change from TLSv1.0/1/2 toward v1.3 will add complexity and require more code.  This applies not just to adding new features, but also to axing existing features that may be in current use.

A TLSv1.3 spec that requires implementors to carefully avoid TLSv1.3 for a number of commonly used TLSv1.0/1/2 features may be even harder to sell than TLSv1.2 and IPv6.


-Martin

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email