Re: [TLS] Summarizing identity change discussion so far

Peter Saint-Andre <stpeter@stpeter.im> Fri, 18 December 2009 02:54 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4C6323A6A26 for <tls@core3.amsl.com>; Thu, 17 Dec 2009 18:54:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id de8R1J5CW26V for <tls@core3.amsl.com>; Thu, 17 Dec 2009 18:54:38 -0800 (PST)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 5C48D3A68B8 for <tls@ietf.org>; Thu, 17 Dec 2009 18:54:38 -0800 (PST)
Received: from leavealone.cisco.com (72-163-0-129.cisco.com [72.163.0.129]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 63B6F40332; Thu, 17 Dec 2009 19:54:23 -0700 (MST)
Message-ID: <4B2AEEDE.1040402@stpeter.im>
Date: Thu, 17 Dec 2009 19:54:22 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: mrex@sap.com
References: <200912172347.nBHNlT3s026032@fs4113.wdf.sap.corp>
In-Reply-To: <200912172347.nBHNlT3s026032@fs4113.wdf.sap.corp>
X-Enigmail-Version: 0.96.0
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="------------ms060904060305050008000704"
Cc: tls@ietf.org
Subject: Re: [TLS] Summarizing identity change discussion so far
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2009 02:54:39 -0000

On 12/17/09 4:47 PM, Martin Rex wrote:

> If a design expects certificate renewal to be necessary
> (either short lived-certs or long-lived connections) then it is
> imperative that the application performs a full re-authentication
> when the identity changes during renegotiation.

Agreed. FWIW, our text about this in draft-ietf-xmpp-3920bis currently
reads as follows (this does not yet talk about identity changes, so
we'll need to address that case as well -- e.g., the certificate might
have been replaced by a new one before the old one expired, but the data
in the cert might be different):

###

14.2.2.3. Checking of Certificates in Long-Lived Streams

   Because XMPP uses long-lived XML streams, it is possible that a
   certificate presented during stream negotiation might expire or be
   revoked while the stream is still live (this is especially relevant
   in the context of server-to-server streams).  Therefore, each party
   to a long-lived stream SHOULD:

   1.  Cache the expiration date of the certificate presented by the
       other party and any certificates on which that certificate
       depends (such as a root or intermediate certificate for a
       certification authority), and terminate the stream when any such
       certificate expires.
   2.  Periodically query the Online Certificate Status Protocol [OCSP]
       responder listed in the Authority Information Access (AIA)
       extension of the certificate presented by the other party and any
       certificates on which that certificate depends (such as a root or
       intermediate certificate for a certification authority), and
       terminate the stream if any such certificate has been revoked.

###

/psa