Re: [TLS] First TLS cached information draft posted
Martin Rex <Martin.Rex@sap.com> Tue, 16 June 2009 15:55 UTC
Return-Path: <Martin.Rex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 82E623A6D7F for <tls@core3.amsl.com>; Tue, 16 Jun 2009 08:55:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.249
X-Spam-Level:
X-Spam-Status: No, score=-6.249 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DY0IlOUr8GVv for <tls@core3.amsl.com>; Tue, 16 Jun 2009 08:55:11 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id 6F9B43A6915 for <tls@ietf.org>; Tue, 16 Jun 2009 08:55:11 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id n5GFsrBe015527 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 16 Jun 2009 17:54:53 +0200 (MEST)
From: Martin Rex <Martin.Rex@sap.com>
Message-Id: <200906161554.n5GFsqxv008514@fs4113.wdf.sap.corp>
To: stefan@aaa-sec.com
Date: Tue, 16 Jun 2009 17:54:52 +0200
In-Reply-To: <C65D7F91.2A72%stefan@aaa-sec.com> from "Stefan Santesson" at Jun 16, 9 04:57:53 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: simon@josefsson.org, tls@ietf.org
Subject: Re: [TLS] First TLS cached information draft posted
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jun 2009 15:55:12 -0000
Stefan, Stefan Santesson wrote: > > I don't like the extra complexity of the proposed structure and I fail to > see the problem of recognizing the hash as replacement of data. > > First of all, the worse case scenario if everything fails miserably and > client mistake a hash for real data or the other way around, is a failed > handshake. > > This is followed by a normal handshake where the client will reset it's cash > for that server. > > This safe fallback allows us to accept reasonable risk of failure. > > Now, how hard is it to recognize a hash as replacement for cashed data and > what is the risk of collision? I agree that probability of an accidental exact match (length and value) between a hash value over previous real data and the representation of new real data after a config change of the server is EXTREMELY low. Personally, I it consider it negligable. I do not agree with the reasoning about the recovery -- a requirement to close a communcation channel entirely and restart from scratch is something that is likely going to break a lot of apps (I wish it did not, but unfortunately, it does). Designing the protocol in a robust fashion so that there is no abiguitiy, and unnecessary risks of failure are avoided, is usually a sensible thing to do. I personally do not think we have such a risk here, it is more about clean architecture and avoiding heuristics in a protocol parser. Since I am no real TLS implementor myself, I do not have any personal preference on whether or not to use an extra framing, and want to leave the discussion and in particular the decision to the author and those implementors who intend to implement this extension and those that are familiar with the requirement of small/constrained clients or low-bandwidth connections that expect a benefit from using this extension. -Martin
- Re: [TLS] First TLS cached information draft post… Stefan Santesson
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Stefan Santesson
- Re: [TLS] First TLS cached information draft post… Martin Rex
- [TLS] First TLS cached information draft posted Stefan Santesson
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Stefan Santesson
- Re: [TLS] First TLS cached information draft post… Stefan Santesson
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Martin Rex
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Martin Rex
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Martin Rex
- Re: [TLS] First TLS cached information draft post… Martin Rex
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Min Huang
- Re: [TLS] First TLS cached information draft post… Min Huang
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Martin Rex
- Re: [TLS] First TLS cached information draft post… Simon Josefsson
- Re: [TLS] First TLS cached information draft post… Stefan Santesson
- Re: [TLS] First TLS cached information draft post… Stefan Santesson
- Re: [TLS] First TLS cached information draft post… Stefan Santesson
- Re: [TLS] First TLS cached information draft post… Stefan Santesson
- Re: [TLS] First TLS cached information draft post… Martin Rex
- Re: [TLS] First TLS cached information draft post… Martin Rex
- Re: [TLS] First TLS cached information draft post… Stefan Santesson
- Re: [TLS] First TLS cached information draft post… Stefan Santesson