Re: [TLS] Comments on TLS identity protection
<home_pw@msn.com> Mon, 25 December 2006 23:25 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GyzC8-0000bt-1b; Mon, 25 Dec 2006 18:25:24 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GyzC6-0000bP-At for tls@ietf.org; Mon, 25 Dec 2006 18:25:22 -0500
Received: from bay0-omc1-s28.bay0.hotmail.com ([65.54.246.100]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GyzC4-0002VK-Ls for tls@ietf.org; Mon, 25 Dec 2006 18:25:22 -0500
Received: from hotmail.com ([65.54.174.80]) by bay0-omc1-s28.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Mon, 25 Dec 2006 15:25:20 -0800
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 25 Dec 2006 15:25:20 -0800
Message-ID: <BAY103-DAV8FA947A1BC907392C46DB92C20@phx.gbl>
Received: from 69.227.152.254 by BAY103-DAV8.phx.gbl with DAV; Mon, 25 Dec 2006 23:25:17 +0000
X-Originating-IP: [69.227.152.254]
X-Originating-Email: [home_pw@msn.com]
X-Sender: home_pw@msn.com
From: home_pw@msn.com
To: martin.rex@sap.com, ekr@networkresonance.com
References: <200612192307.AAA25601@uw1048.wdf.sap.corp>
Subject: Re: [TLS] Comments on TLS identity protection
Date: Tue, 26 Dec 2006 10:34:33 -0800
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail desktop 8.0.1223
X-MimeOLE: Produced By Microsoft MimeOLE V8.0.1223
X-OriginalArrivalTime: 25 Dec 2006 23:25:20.0200 (UTC) FILETIME=[F18D3480:01C7287B]
X-Spam-Score: 2.5 (++)
X-Scan-Signature: e1e48a527f609d1be2bc8d8a70eb76cb
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
> When the server-requested renegotiation is application triggered, > as in the Microsoft IIS case, then the server better caches the > result along with the SSL session. > > Microsoft IIS has a silly (performance-wasting) bug, where a client that > does either not have a client cert or does not show one (and requiring > the application to perform application level client authentication) > is continously forced through the renegotiation when the client > tries to resume the session from the session cache on a new connection. This is not a bug. It is an explicitly permitted state within the SSL v3 conformance/state. Upon request, a client MAY send a client cert. What happens if it doesn't, is server policy. The handshake protocol affects session state. Session resumption (a poorly named procedure) affects connection state, only. Where a client cert is used for user auth purpose(in e.g. https) we have a situation that is different to a client cert being used to merely authenticate an T-connect peer. Whether the user app intended a previous user auth to be applied to a new connection is not specified in the "designers" rendition of the https protocol. That is, its up to the implementation of https, by intent. The implementation of Netscape-https is very different to that of IE-https (and MSFT's wininet.dll's default https,for wininet consumers that are not IE) By definition http over SSL is https. Nothing more is stated. each https designer specifies their own "usage profile". Netscape-browsers have their concept for sharing hypermedia-state across TLSconnections, client side, and assured OS have theirs. Its that simple. There is no right or wrong, bug or not-bug. > > -Martin > > _______________________________________________ > TLS mailing list > TLS@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/tls > _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection badra
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection Kyle Hamilton
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Peter Williams
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- RE: [TLS] Comments on TLS identity protection Peter Williams
- RE: [TLS] Comments on TLS identity protection Peter Williams
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Pasi.Eronen
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Pasi.Eronen
- Re: [TLS] Comments on TLS identity protection Bodo Moeller
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Pasi.Eronen
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Pasi.Eronen
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- RE: [TLS] Comments on TLS identity protection Peter Williams
- Re: [TLS] Comments on TLS identity protection badra
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection badra
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection Badra
- Re: [TLS] Comments on TLS identity protection Omirjan Batyrbaev
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection EKR
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection Martin Rex
- RE: [TLS] Comments on TLS identity protection Peter Williams
- Re: [TLS] Comments on TLS identity protection EKR
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection EKR
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection EKR
- Re: [TLS] Comments on TLS identity protection home_pw