Re: [TLS] Quest for Unified Solution to TLS Renegotiation

Martin Rex <mrex@sap.com> Wed, 25 November 2009 22:06 UTC

From: Martin Rex <mrex@sap.com>
Message-Id: <200911252205.nAPM5uCQ027921@fs4113.wdf.sap.corp>
To: mike-list@pobox.com
Date: Wed, 25 Nov 2009 23:05:56 +0100
In-Reply-To: <4B0D9B94.9080205@pobox.com> from "Michael D'Errico" at Nov 25, 9 01:03:16 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
Cc: tls@ietf.org
Subject: Re: [TLS] Quest for Unified Solution to TLS Renegotiation
Precedence: list
Reply-To: mrex@sap.com

Michael D'Errico wrote:
> 
> I think that it would be good to find a unified solution that
> everybody is happy with, and believe that this may be it:
> 
> 
>    1) Client-to-Server signalling can be done in either of
>       two ways:
> 
>       A) an empty Secure_Renegotiation (SR) extension, or
>       B) a "magic" cipher suite
> 
>    2) Server-to-Client signal is always an empty SR extension
> 
>    3) Incorporate previous verify_data into Finished calc.
> 
> 
> The particulars:
> 
> A client that currently sends any other extensions MUST also
> send the empty SR extension.
> 
> A client that currently does not send any extensions MAY send
> the empty SR extension, or MAY send the magic cipher suite.

A client MUST send the magic cipher suite.  A client that sends
any TLS extension SHOULD send the the emtpy SR extension as well.

The server MUST check for the presence of the magic ciphersuite
and MUST use secure renegotiation when present.  The server
SHOULD NOT complain of absence of SR extension when the
magic ciphersuite is present.

-Martin

[TLS] Quest for Unified Solution to TLS Renegotia… Michael D'Errico
Re: [TLS] Quest for Unified Solution to TLS Reneg… Marsh Ray
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Stefan Santesson
Re: [TLS] Quest for Unified Solution to TLS Reneg… Eric Rescorla
Re: [TLS] Quest for Unified Solution to TLS Reneg… Hovav Shacham
Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
Re: [TLS] Quest for Unified Solution to TLS Reneg… Eric Rescorla
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Yoav Nir
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
Re: [TLS] Quest for Unified Solution to TLS Reneg… Marsh Ray
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… Stephen Farrell
Re: [TLS] Quest for Unified Solution to TLS Reneg… Yoav Nir
Re: [TLS] Quest for Unified Solution to TLS Reneg… Nelson B Bolyard
Re: [TLS] Quest for Unified Solution to TLS Reneg… Nelson B Bolyard
Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… Kyle Hamilton
Re: [TLS] Quest for Unified Solution to TLS Reneg… Eric Rescorla
Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood