Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

Marsh Ray <marsh@extendedsubset.com> Tue, 10 November 2009 04:08 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 90DAB3A689E for <tls@core3.amsl.com>; Mon, 9 Nov 2009 20:08:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.472
X-Spam-Level:
X-Spam-Status: No, score=-2.472 tagged_above=-999 required=5 tests=[AWL=0.127, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D6EL400PvQNT for <tls@core3.amsl.com>; Mon, 9 Nov 2009 20:08:34 -0800 (PST)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id CD9A83A67EB for <tls@ietf.org>; Mon, 9 Nov 2009 20:08:34 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1N7i2P-0002Bx-7A; Tue, 10 Nov 2009 04:09:01 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 699FA6678; Tue, 10 Nov 2009 04:08:58 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1+26PqtpG74/0M/jF2y0zzbZIgH/cGyZ3s=
Message-ID: <4AF8E755.5020208@extendedsubset.com>
Date: Mon, 09 Nov 2009 22:08:53 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Nicolas Williams <Nicolas.Williams@sun.com>
References: <006FEB08D9C6444AB014105C9AEB133FB36A4EBF03@il-ex01.ad.checkpoint.com> <200911092152.nA9LqVkW000963@fs4113.wdf.sap.corp> <20091109223417.GK1105@Sun.COM>
In-Reply-To: <20091109223417.GK1105@Sun.COM>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2009 04:08:35 -0000

Nicolas Williams wrote:
> On Mon, Nov 09, 2009 at 10:52:31PM +0100, Martin Rex wrote:
>> I whish there was a constraint that an identity/certificate that has
>> been established for a party during the TLS handshake MUST not change
>> during re-negotiation,

Hmm, few questions about that plan:

Is this currently a defined concept in TLS: equivalence of identity?

Isn't that one of the major uses of renegotiation? To change identity?
That seems to be the entire point of the observed cases of renegotiation
in https. Even if the only case we know of is a transition from an
anonymous identity to a client-certified one, such a new constraint
seems a bit pointless and likely to break someone.

Perhaps you want to allow identities to be "strengthened" but not
"weakened". Is this another new concept in TLS: are identities required
to be partially- or fully-ordered?

It's starting to sound like that question about ciphersuites being
ordered according to strength.

Would that make it illegal to resume a previous session over the same
underlying connection if it could not be proven it was "the same" identity?

What if the session's identity were strengthened? Could you end up in a
situation where a session could be resumed on any of several other
connections except the one on which it originated!

- Marsh