Re: [TLS] Last Call: draft-ietf-tls-rfc4366-bis (Transport Layer Security (TLS) Extensions: Extension Definitions) to Proposed Standard

Eric Rescorla <ekr@networkresonance.com> Wed, 23 September 2009 19:07 UTC

Return-Path: <ekr@networkresonance.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DD2183A6924; Wed, 23 Sep 2009 12:07:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.656
X-Spam-Level:
X-Spam-Status: No, score=-1.656 tagged_above=-999 required=5 tests=[AWL=0.943, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EYYnqtgMWowK; Wed, 23 Sep 2009 12:07:37 -0700 (PDT)
Received: from romeo.rtfm.com (romeo.rtfm.com [74.95.2.173]) by core3.amsl.com (Postfix) with ESMTP id 0BC9E3A68C5; Wed, 23 Sep 2009 12:07:37 -0700 (PDT)
Received: from romeo.rtfm.com (localhost.rtfm.com [127.0.0.1]) by romeo.rtfm.com (Postfix) with ESMTP id E59F350822; Wed, 23 Sep 2009 12:08:30 -0700 (PDT)
Date: Wed, 23 Sep 2009 12:08:30 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: Dean Anderson <dean@av8.com>
In-Reply-To: <Pine.LNX.4.44.0909231500110.8840-100000@citation2.av8.net>
References: <87ab0lskpf.fsf@mocca.josefsson.org> <Pine.LNX.4.44.0909231500110.8840-100000@citation2.av8.net>
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Message-Id: <20090923190830.E59F350822@romeo.rtfm.com>
Cc: Simon Josefsson <simon@josefsson.org>, ietf@ietf.org, tls@ietf.org
Subject: Re: [TLS] Last Call: draft-ietf-tls-rfc4366-bis (Transport Layer Security (TLS) Extensions: Extension Definitions) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2009 19:07:38 -0000

At Wed, 23 Sep 2009 15:04:00 -0400 (EDT),
Dean Anderson wrote:
> 
> Is that insecure?
> 
> If the client is authorized by certificate, then it seems that it has 
> that identity in addition to any application level identities.
> 
> The only insecurity is if the certifiate private key has been
> compromised, which isn't something that TLS can protect against.
> 
> One problem with using TLS for virtual web hosts is that the server
> names cannot match the single name allowed in the certificate.  I don't
> want to see that get worse; I'd like to see it get better.

The server_name extension [RFC 4366] allows this.

-Ekr