Re: [TLS] Re: when is it ok to resume a cached SSL/TLS session
<home_pw@msn.com> Tue, 16 January 2007 05:01 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H6gRq-0008PZ-Ee; Tue, 16 Jan 2007 00:01:26 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H6gRp-0008O5-Gg for tls@ietf.org; Tue, 16 Jan 2007 00:01:25 -0500
Received: from bay0-omc1-s8.bay0.hotmail.com ([65.54.246.80]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H6gRn-00087F-5I for tls@ietf.org; Tue, 16 Jan 2007 00:01:25 -0500
Received: from hotmail.com ([65.55.131.20]) by bay0-omc1-s8.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Mon, 15 Jan 2007 21:01:22 -0800
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 15 Jan 2007 21:01:22 -0800
Message-ID: <BAY126-DAV106D61C9AA090BFC5FA26892B40@phx.gbl>
Received: from 70.142.20.165 by BAY126-DAV10.phx.gbl with DAV; Tue, 16 Jan 2007 05:01:20 +0000
X-Originating-IP: [70.142.20.165]
X-Originating-Email: [home_pw@msn.com]
X-Sender: home_pw@msn.com
From: home_pw@msn.com
To: Kyle Hamilton <aerowolf@gmail.com>
References: <20070115154600.A77285C01E@laser.networkresonance.com> <BAY126-DAV649C9E2DAC40983624F6292B50@phx.gbl> <86ac0ke02o.fsf@raman.networkresonance.com> <BAY126-DAV7527528284E612011A4A192B50@phx.gbl> <6b9359640701151745h711a1701xb0612dfc280e509@mail.gmail.com>
Subject: Re: [TLS] Re: when is it ok to resume a cached SSL/TLS session
Date: Mon, 15 Jan 2007 21:01:18 -0800
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="utf-8"; reply-type="response"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail desktop 8.0.1223
X-MimeOLE: Produced By Microsoft MimeOLE V8.0.1223
X-OriginalArrivalTime: 16 Jan 2007 05:01:22.0602 (UTC) FILETIME=[5DF458A0:01C7392B]
X-Spam-Score: 0.2 (/)
X-Scan-Signature: 3e15cc4fdc61d7bce84032741d11c8e5
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
> Which is why session resumption is an explicitly optional > construct. And, its why the protocol has an explicit no_renegotiation alert; just because the server ASKS for a renegotiate DOES NOT MEAN it gets it. Further, the client can assert user_cancelled, mid handshake and post-ServerHello anyways, even if the full handshake SHOULD proceed. --------- So, lets get down to text:- So, who is for the proposed wording change? If its what EVERYONE understands anyways, adding one clarification term (MUST) to the text quoted by Eric that governs this case ..is evidently going to have zero nay votes (I'll be abstaining). However, two class C students (me and the browser maker cited by Martin) will have been quite properly instructed. Right now, TLS WG is apparently asserting, in effect, that: When attempting to resume a session, a client SHOULD NOT send a no_renegotiate alert if a server proceeds to a full handshake (I.e. populates ServerHello with a non-zero value that is different to that in the ClientHello). Furthermore, the client SHOULD NOT send a user_canceled alert during such a full handshake should the endpoints proceed. Arguably, the WG is asserting the stronger form for both these conditions: MUST. I’ll offer a compromise here, note. IESG could say: if the client seeking session resumption receives a request to proceed with a full handshake , it MUST proceed with the handshake or it MUST immediately send either a no_renegotiation or a user_canceled alert. user_canceled simply means in this context: give me session resumption under the cited ciphersuite, or don’t bother. The server can send a hello-request if it invites the client to retry the sessionid, given it now has knowledge of the "insistence"; otherwise it just closes the TLS connection using the conventions of the bearer. Now, as a principle: Why the SSL application cares to do this is up to the designer of the application. In all cases, as the standard asserts: its never the business of SSL/TLS protocol layer to know or care WHY SSL applications open or close connections, or under what conditions. Its just a state machine that trundles along, doing its automata thing. Whether an SSL application such as https support a usable hypermedia or other web usage experience or not... requires evaluating https and the web client in question. _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Question on Stateless TLS Session Resumption Narayanan, Vidya
- Re: [TLS] Question on Stateless TLS Session Resum… Eric Rescorla
- Re: [TLS] Question on Stateless TLS Session Resum… Lakshminath Dondeti
- Re: [TLS] Question on Stateless TLS Session Resum… Eric Rescorla
- Re: [TLS] Question on Stateless TLS Session Resum… Lakshminath Dondeti
- Re: [TLS] Question on Stateless TLS Session Resum… Eric Rescorla
- Re: [TLS] Question on Stateless TLS Session Resum… Lakshminath Dondeti
- [TLS] when is it ok to resume a cached SSL/TLS se… Martin Rex
- [TLS] when is it ok to resume a cached SSL/TLS se… Martin Rex
- [TLS] Re: when is it ok to resume a cached SSL/TL… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… Martin Rex
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… Martin Rex
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Kyle Hamilton
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Martin Rex
- RE: [TLS] Question on Stateless TLS Session Resum… Narayanan, Vidya
- Re: [TLS] when is it ok to resume a cached SSL/TL… Martin Rex