IETF Logo Mail Archive

Re: [TLS] matching identity, by default

Martin Rex <mrex@sap.com> Fri, 04 December 2009 01:54 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B75A03A6842 for <tls@core3.amsl.com>; Thu, 3 Dec 2009 17:54:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.193
X-Spam-Level:
X-Spam-Status: No, score=-6.193 tagged_above=-999 required=5 tests=[AWL=0.056, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1UubjUgJxjSY for <tls@core3.amsl.com>; Thu, 3 Dec 2009 17:54:30 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id 9A8263A67B4 for <tls@ietf.org>; Thu, 3 Dec 2009 17:54:30 -0800 (PST)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id nB41sJOj027647 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 4 Dec 2009 02:54:19 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200912040154.nB41sIt2029221@fs4113.wdf.sap.corp>
To: marsh@extendedsubset.com
Date: Fri, 04 Dec 2009 02:54:18 +0100
In-Reply-To: <4B1861E1.90204@extendedsubset.com> from "Marsh Ray" at Dec 3, 9 07:12:01 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org, james@manger.com.au
Subject: Re: [TLS] matching identity, by default
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2009 01:54:31 -0000

Marsh Ray wrote:
> 
> > The TLS renegotiation vulnerability allowed to pass along the
> > TLS endpoint during renegotiation freely, an in particular to
> > unsuspecting TLS peers.
> > 
> > The secure renegotiation will ensure that the endpoint of
> > a renegotiated TLS session will be tied securely to the
> > endpoints of the enclosing TLS session.
> 
> Yes, it will be possible for authentication credentials/certificates to
> change. That's one of the primary purposes of renegotiation.
>
> It ensures continuity-of-identity of the client and server across all
> the [unnamed things between handshakes] on the connection.

I'm sorry, but these two things are mutually exclusive.
The TLS renegotiation fix addresses only the TLS endpoint thing,
it does absolutely nothing about the identities.


continuity-of-identity is _ONLY_ possible if you lock down the
certificates of the peers during renegotiation.  That is _not_
part of the TLS renegotiation fix.

Any notion of identity related to attributes in the certificate that
was used to carry the public key around is out-of-scope for TLS.
Two certs that differ in at least one bit refer to seperate
identies, as far as TLS is concerned.

It may be that an application considers a Server certificate for
CN=www.foo.com issued by VeriSign and another one with the
same CN=www.foo.com issued by GlobalSign to be interchangeable,
but they _DEFINITELY_ are completely different identities.

If you have an end user cert and a renewed end user cert
(same public key, same CA, but different validity), then
these might refer to the same Identity in your PKI, but
for TLS these are definitely distinct identities.


-Martin

v2.23.0 | Report a Bug | By Email