IETF Logo Mail Archive

Re: [TLS] Please discuss: draft-housley-evidence-extns-00<

Martin Rex <martin.rex@sap.com> Thu, 11 January 2007 18:19 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H54WA-0003f6-Sp; Thu, 11 Jan 2007 13:19:14 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H54W9-0003f0-R0 for tls@ietf.org; Thu, 11 Jan 2007 13:19:13 -0500
Received: from smtpde03.sap-ag.de ([155.56.68.140]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H54W8-0000mU-EU for tls@ietf.org; Thu, 11 Jan 2007 13:19:13 -0500
Received: from sap-ag.de (smtpde03) by smtpde03.sap-ag.de (out) with ESMTP id TAA19371; Thu, 11 Jan 2007 19:19:03 +0100 (MEZ)
From: Martin Rex <martin.rex@sap.com>
Message-Id: <200701111819.TAA00529@uw1048.wdf.sap.corp>
Subject: Re: [TLS] Please discuss: draft-housley-evidence-extns-00<
To: batyr@sympatico.ca
Date: Thu, 11 Jan 2007 19:19:02 +0100
In-Reply-To: <001901c7358e$3e6c94c0$5bac5e41@pbo8f8e10aowa> from "Omirjan Batyrbaev" at Jan 11, 7 09:39:04 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
X-SAP: out
X-SAP: out
X-SAP: out
X-Spam-Score: 2.3 (++)
X-Scan-Signature: 8b431ad66d60be2d47c7bfeb879db82c
Cc: DPKemp@missi.ncsc.mil, tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

Omirjan Batyrbaev wrote:
> 
> > Come on David; we can do better than this, as (secure) 
> > networking engineers.
> > 
> > Cookies are not used for session stickyness/persistence in 
> > https, or for failover prep, in HA internet data centers 
> > doing 1000-2000 simultaneous handshakes for https sessions. 
> > In layer 2 switched and layer 3 routed data centers (of 
> > which I've built 2, with teamed nics, redundant gateway 
> > convergence, deterministic convergence, etc ), it's the 
> > SSLv3 session id that is the "cookie" for controlling that 
> > path of the fragment through the switches. 
> 
> But what happens when the application session spans multiple session ids?

You loose (or the application looses).

The secretive security guys are as narrow-minded about
complex application design as some of us are narrow-minded
about the need for multi-level security.

Someone who thinks at EAL6+ security levels is not used
to multi-millions LinesOfCode applications with annual
code growth rates around 10% that have a requirement
to perform a single "transaction" accross several entirely
independent communication channels using independent protocol
abstractions crossing different middleware application components,
and being protected and (re-)authenticated by different
authentication technologies.

People like me try to provide some assurance that
all those seperate communication streams ending
up in the the same Application backend server are
protected and securely authenticated and in fact
belong to the same application session on the frontend
so that they can all have access to the same shared
session state in the backend.

Personally, I don't like such complex application design,
but it's not that anyone in the apps area would listen to me
and cut back on their ambitions.


But looking at the other TLS extension in TLS v1.2, it
seems the amount of different authentication technologies
is going straight up rather than settling down on a single
common scheme.

 
-Martin

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.29.0 | Report a Bug | By Email | System Status