Re: [TLS] COMMENT: draft-ietf-tls-renegotiation
Nicolas Williams <Nicolas.Williams@sun.com> Tue, 15 December 2009 23:47 UTC
Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A0EFD3A6805; Tue, 15 Dec 2009 15:47:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.909
X-Spam-Level:
X-Spam-Status: No, score=-5.909 tagged_above=-999 required=5 tests=[AWL=0.137, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xBPR029ioIKI; Tue, 15 Dec 2009 15:47:28 -0800 (PST)
Received: from sca-ea-mail-2.sun.com (sca-ea-mail-2.Sun.COM [192.18.43.25]) by core3.amsl.com (Postfix) with ESMTP id 1B0E13A67B6; Tue, 15 Dec 2009 15:47:24 -0800 (PST)
Received: from dm-central-02.central.sun.com ([129.147.62.5]) by sca-ea-mail-2.sun.com (8.13.7+Sun/8.12.9) with ESMTP id nBFNlBrV018491; Tue, 15 Dec 2009 23:47:11 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id nBFNlAbk002111; Tue, 15 Dec 2009 16:47:10 -0700 (MST)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id nBFNWAk3005039; Tue, 15 Dec 2009 17:32:10 -0600 (CST)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id nBFNW9hH005038; Tue, 15 Dec 2009 17:32:09 -0600 (CST)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Tue, 15 Dec 2009 17:32:09 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Nelson Bolyard <nelson@bolyard.me>
Message-ID: <20091215233208.GF1516@Sun.COM>
References: <20091214191959.427A53A6A27@core3.amsl.com> <4B269153.9070701@tau.ac.il> <4B27B9DF.1020300@extendedsubset.com> <4B27C647.2060008@stpeter.im> <4B2818BF.507@bolyard.me>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <4B2818BF.507@bolyard.me>
User-Agent: Mutt/1.5.7i
Cc: Ran Canetti <canetti@tau.ac.il>, iesg@ietf.org, tls@ietf.org
Subject: Re: [TLS] COMMENT: draft-ietf-tls-renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Dec 2009 23:47:28 -0000
On Tue, Dec 15, 2009 at 03:16:15PM -0800, Nelson Bolyard wrote: > Peter Saint-Andre wrote: > > I think the question Russ raised is: just how fundamental is TLS > > renegotiation? And the answer so far seems to be: some deployments seem > > to use it, but it might not be fundamental. > > I believe it is very heavily used in business-to-business https transactions > including so-called intranet transactions, where parts of a web site require > different authentication than the rest. Oddly enough, I found out today that an important OpenSolaris component depends on it: the subscription-based software repository known as the "extra" repo. (The OpenSolaris IPS packaging system is layered above HTTP. The extra repo requires user authentication with certs in order to obtain the contents of packages in that repository. Not surprisingly this affects my stance on the issue. Not because the affected technology is my employers (or important to me) as much as because it is a good example of how such applications might arise, therefore an indicator that there may be many more like it. It is clearly simpler (well, for most TLS libraries, given their APIs) to fix re-negotiation than to fix all such applications. Nico --
- [TLS] COMMENT: draft-ietf-tls-renegotiation Russ Housley
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Steven Bellovin
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Nicolas Williams
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Russ Housley
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Peter Saint-Andre
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Kemp, David P.
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Peter Gutmann
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Stefan Santesson
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Pasi.Eronen
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Huang Min
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Ben Laurie
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Robert Dugal
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Badra
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Robert Dugal
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Steve Dispensa
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Ran Canetti
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Marsh Ray
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Peter Saint-Andre
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Martin Rex
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Nelson Bolyard
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Nicolas Williams
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Martin Rex
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Martin Rex
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Steven Bellovin
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Steve Dispensa