Re: [TLS] Comments on TLS identity protection
badra@isima.fr Tue, 19 December 2006 23:10 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gwo6b-0005K5-Ke; Tue, 19 Dec 2006 18:10:41 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gwo6a-0005Jz-GO for tls@ietf.org; Tue, 19 Dec 2006 18:10:40 -0500
Received: from sp.isima.fr ([193.55.95.1]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Gwo6Y-0008GF-S4 for tls@ietf.org; Tue, 19 Dec 2006 18:10:40 -0500
Received: from www.isima.fr (www.isima.fr [193.55.95.79]) by sp.isima.fr (8.9.3/jtpda-5.3.1) with SMTP id AAA57972 ; Wed, 20 Dec 2006 00:09:13 +0100
Received: from 86.72.162.216 (SquirrelMail authenticated user badra) by www.isima.fr with HTTP; Wed, 20 Dec 2006 00:12:13 +0100 (CET)
Message-ID: <61492.86.72.162.216.1166569933.squirrel@www.isima.fr>
In-Reply-To: <86ejqvpl6s.fsf@raman.networkresonance.com>
References: <20061219204505.5F2EE5C01E@laser.networkresonance.com><61434.86.72.162.216.1166567558.squirrel@www.isima.fr> <86ejqvpl6s.fsf@raman.networkresonance.com>
Date: Wed, 20 Dec 2006 00:12:13 +0100
Subject: Re: [TLS] Comments on TLS identity protection
From: badra@isima.fr
To: EKR <ekr@networkresonance.com>
User-Agent: SquirrelMail/1.4.2
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3
Importance: Normal
X-Spam-Score: 0.2 (/)
X-Scan-Signature: 9466e0365fc95844abaf7c3f15a05c7d
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Hi Eric, > Yes, but I don't think this really explains why the certificate > needs to be kept secret or why the double handshake technique isn't > good enough. IMHO, WiMAX and Wireless Networks operators that use TLS based-certificate have interests in providing alike GSM and UMTS modele for identity hiding. I CCed Joe Salowey who could have more arguments regarding the certificate hiding in WLAN and WiMAX using TLS. > The attacker performs a MITM attack with a valid certificate. > The TLS implementation completes the handshake and then prompts > the application to verify the certificate's identity against > the intended identity. This fails, but by this time the client > has already provided his certificate. Thank you. It is clear for me now. However, sentences will be added to the Security Considerations, in order for the client to check its understanding of the server hostname against the server's identity as presented in the server Certificate message. Best regards, Badra _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection badra
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection Kyle Hamilton
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Peter Williams
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- RE: [TLS] Comments on TLS identity protection Peter Williams
- RE: [TLS] Comments on TLS identity protection Peter Williams
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Pasi.Eronen
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Pasi.Eronen
- Re: [TLS] Comments on TLS identity protection Bodo Moeller
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Pasi.Eronen
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Pasi.Eronen
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- RE: [TLS] Comments on TLS identity protection Peter Williams
- Re: [TLS] Comments on TLS identity protection badra
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection badra
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection Badra
- Re: [TLS] Comments on TLS identity protection Omirjan Batyrbaev
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection EKR
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection Martin Rex
- RE: [TLS] Comments on TLS identity protection Peter Williams
- Re: [TLS] Comments on TLS identity protection EKR
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection EKR
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection EKR
- Re: [TLS] Comments on TLS identity protection home_pw