Re: [TLS] TLS-OBC proposal
Wan-Teh Chang <wtc@google.com> Tue, 23 August 2011 23:38 UTC
Return-Path: <wtc@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 165B621F8BB2 for <tls@ietfa.amsl.com>; Tue, 23 Aug 2011 16:38:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.977
X-Spam-Level:
X-Spam-Status: No, score=-105.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 77yFRCk2xmBV for <tls@ietfa.amsl.com>; Tue, 23 Aug 2011 16:38:18 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.67]) by ietfa.amsl.com (Postfix) with ESMTP id 4FD9121F8B98 for <tls@ietf.org>; Tue, 23 Aug 2011 16:38:17 -0700 (PDT)
Received: from hpaq12.eem.corp.google.com (hpaq12.eem.corp.google.com [172.25.149.12]) by smtp-out.google.com with ESMTP id p7NNdLxv005103 for <tls@ietf.org>; Tue, 23 Aug 2011 16:39:21 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1314142761; bh=UJeNsxOMJx5IMUCKhb9uhdzIHKs=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type:Content-Transfer-Encoding; b=e/v2uJbQ6lCuY9qKJ7lq1fihhhIP6X1ruWZ3Ck8/ZujatQ/r0tH5TpwwoNrQdTT/q ZuU+IM4GIT1LN3rIFB2TA==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=dkim-signature:mime-version:in-reply-to:references:date: message-id:subject:from:to:cc:content-type: content-transfer-encoding:x-system-of-record; b=KrLU+azKP0cEaVPB2MJ4owzGv427wG6tvQuXpaI1cJKgSYbxoA0RV9uDdOxAgxzDi ibxLui8jktHN4cylZCAbw==
Received: from qyk31 (qyk31.prod.google.com [10.241.83.159]) by hpaq12.eem.corp.google.com with ESMTP id p7NNdJRF002188 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <tls@ietf.org>; Tue, 23 Aug 2011 16:39:20 -0700
Received: by qyk31 with SMTP id 31so3334532qyk.18 for <tls@ietf.org>; Tue, 23 Aug 2011 16:39:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=B6MzXkS989/M46Vj+5lEIfJXDzkL4BhgvzqiHalsX3k=; b=nvNooHQ8hLowLhXXgnAjLbdzcvKsD0NFP6T2/wBdQIFAdojGO4I+CzH55fJM5+zcqO VLDzo+NHAiOxwNqKD0+g==
Received: by 10.229.33.71 with SMTP id g7mr2882400qcd.26.1314142759166; Tue, 23 Aug 2011 16:39:19 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.33.71 with SMTP id g7mr2882393qcd.26.1314142759002; Tue, 23 Aug 2011 16:39:19 -0700 (PDT)
Received: by 10.229.102.159 with HTTP; Tue, 23 Aug 2011 16:39:18 -0700 (PDT)
In-Reply-To: <4E52ACCC.20303@telia.com>
References: <CADHfa2AMOeShxH_k5ZEB3DUVJAnOqvZmLMg5Yz8smtBDGkQsNg@mail.gmail.com> <4E52ACCC.20303@telia.com>
Date: Tue, 23 Aug 2011 16:39:18 -0700
Message-ID: <CALTJjxFWu0SLi7ieaBHQp9aTqm4aB-t6CoNa6T0j3oYbHhfnrQ@mail.gmail.com>
From: Wan-Teh Chang <wtc@google.com>
To: Anders Rundgren <anders.rundgren@telia.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: tls@ietf.org
Subject: Re: [TLS] TLS-OBC proposal
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Aug 2011 23:38:19 -0000
On Mon, Aug 22, 2011 at 12:23 PM, Anders Rundgren <anders.rundgren@telia.com> wrote: > > I'm a little hesitant (from a deployment point-of-view) about mucking > around in the TLS layer. Wouldn't it be possible to achieve this > anyway web-only functionality with more "webbish" methods? Not as > clean but it would probably be easier rolling out. The reason the origin-bound certificates are used in TLS client authentication is to save one round trip. Otherwise the server will need to send a challenge for the client to sign. There is a variant where the client signs a shared value derived from the TLS master secret, to avoid the need for the server to send a challenge. That variant can be used at the HTTP layer when running over TLS. Wan-Teh
- [TLS] TLS-OBC proposal Dirk Balfanz
- Re: [TLS] TLS-OBC proposal Anders Rundgren
- Re: [TLS] TLS-OBC proposal Chris Richardson
- Re: [TLS] TLS-OBC proposal Wan-Teh Chang
- Re: [TLS] TLS-OBC proposal Chris Newman
- Re: [TLS] TLS-OBC proposal Dirk Balfanz
- Re: [TLS] TLS-OBC proposal Dirk Balfanz
- Re: [TLS] TLS-OBC proposal Dirk Balfanz
- Re: [TLS] TLS-OBC proposal Nikos Mavrogiannopoulos
- Re: [TLS] TLS-OBC proposal Dirk Balfanz
- Re: [TLS] TLS-OBC proposal Nikos Mavrogiannopoulos
- Re: [TLS] TLS-OBC proposal Anders Rundgren
- Re: [TLS] TLS-OBC proposal Nikos Mavrogiannopoulos
- Re: [TLS] TLS-OBC proposal Anders Rundgren
- Re: [TLS] TLS-OBC proposal Martin Rex
- Re: [TLS] TLS-OBC proposal Nico Williams
- Re: [TLS] TLS-OBC proposal Nico Williams
- Re: [TLS] TLS-OBC proposal Nico Williams