IETF Logo Mail Archive

Re: [TLS] draft-ietf-tls-cached-info-14

mrex@sap.com (Martin Rex) Wed, 10 April 2013 14:08 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B8F921F97EF for <tls@ietfa.amsl.com>; Wed, 10 Apr 2013 07:08:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.249
X-Spam-Level:
X-Spam-Status: No, score=-10.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0gE1Xo9oCn4U for <tls@ietfa.amsl.com>; Wed, 10 Apr 2013 07:08:09 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 86DA021F97E5 for <tls@ietf.org>; Wed, 10 Apr 2013 07:08:09 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id r3AE819j012808 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 10 Apr 2013 16:08:01 +0200 (MEST)
In-Reply-To: <op.wvakl2sk3dfyax@killashandra.invalid.invalid>
To: "Yngve N. Pettersen" <yngve@spec-work.net>
Date: Wed, 10 Apr 2013 16:08:01 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20130410140801.B0BB41A6A1@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] draft-ietf-tls-cached-info-14
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Apr 2013 14:08:10 -0000

Yngve N. Pettersen wrote:
> 
> My advice: Keep cache lists for each server separate from the lists used  
> for other servers. That does not mean that the client cannot optimize  
> storage by combining the storage for each entry in the list, though. There  
> is too much chance of guessing wrong about what the server should know  
> based on what the client knows.

I agree with Yngve that it would be a terribly bad idea for TLS clients
to announcing hashes of cached OCSP responses from other sources than
a prior TLS handshake with the _exact_same_server_ .

The concept of the caching mechanism is to cache data from a previous
TLS handshake.  Mixing in data from other sources is going to cause
hardly predictable behaviour *AND* is going to leak information that
ought not to be leaked (and may occasionally create a security problem
"side channel").

The only thing that might be acceptable, is a means for the client to
indicate "don't send me that information at all".  The client could
always omit the OCSP response extension (single and multi) from the
TLS ClientHello, if it so desires (e.g. in a renegotiation handshake,
if the client would also abort on a change of the server certificate).

But even then, when the "I already have this information" is the result
of TLS handshakes with another server, the result would be a side channel
leaking information -- so TLS clients need to be careful here!

-Martin

v2.23.0 | Report a Bug | By Email