Re: [TLS] Summarizing identity change discussion so far

[Nelson B Bolyard <nelson@bolyard.me>]

On 2009-12-17 23:27 PST, Joseph Salowey (jsalowey) wrote:
> I share the opinion that identity checking belongs in the application,
> performed according to whatever mechanism is appropriate.  We should not
> be mandating any particular PKIX processing in the TLS specs. 
> 
> I also think if an application is not prepared to be aware of
> renegotiation and handle any identity change associated with it then
> renegotiation should be disabled.  This implies that renegotiation
> should be disabled by default and specifically enabled by an
> application.  So I would say
> 
> "TLS implementations SHOULD disable renegotiation by default and offer
> the applications the option to enable renegotiation.  When an
> application enables renegotiation it must handle identity processing for
> each handshake."

With my Idealist hat on, I agree with that 100%.  But after 13.25 years
of working on SSL/TLS libraries, I know that 98+% of the app developers
who use TLS have no idea what that means or how to do it.  IMO, they are
likely to just call a function for each handshake that does the same
thing as for the first handshake, validating the cert chain and (if we're
lucky) checking that some aspect of the cert contains some expected name,
without any regard to what prior certificates may have contained.

So, IMO, it makes sense of TLS implementations to offer some sort of
"default" handling of certs to attempt to ensure continuity of identity
in the absence of something much better from the application.  I'd
suggest that, unless the applications direct them to do otherwise, perhaps
by registering some callback, TLS implementations should check that the
cert in a renegotiation is the same one as in the previous full handshake,
either by memcmp of the entire cert, or by memcmp of the subject name and
subjectAltName (if any).   Anything less will ensure that most apps continue
to get this wrong, IMO.