Re: [TLS] Summarizing identity change discussion so far

"Joseph Salowey (jsalowey)" <jsalowey@cisco.com> Sat, 19 December 2009 06:03 UTC

Return-Path: <jsalowey@cisco.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6ED733A68A7 for <tls@core3.amsl.com>; Fri, 18 Dec 2009 22:03:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.508
X-Spam-Level:
X-Spam-Status: No, score=-6.508 tagged_above=-999 required=5 tests=[AWL=0.091, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xs4NaksmnJ15 for <tls@core3.amsl.com>; Fri, 18 Dec 2009 22:03:28 -0800 (PST)
Received: from sj-iport-4.cisco.com (sj-iport-4.cisco.com [171.68.10.86]) by core3.amsl.com (Postfix) with ESMTP id 7089B3A6887 for <tls@ietf.org>; Fri, 18 Dec 2009 22:03:28 -0800 (PST)
Authentication-Results: sj-iport-4.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApoEAGP7K0urR7Ht/2dsb2JhbAC+WZZ9gi+BfwQ
X-IronPort-AV: E=Sophos;i="4.47,422,1257120000"; d="scan'208";a="65093292"
Received: from sj-core-1.cisco.com ([171.71.177.237]) by sj-iport-4.cisco.com with ESMTP; 19 Dec 2009 06:03:13 +0000
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id nBJ63DYn023701; Sat, 19 Dec 2009 06:03:13 GMT
Received: from xmb-sjc-225.amer.cisco.com ([128.107.191.38]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 18 Dec 2009 22:03:13 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 18 Dec 2009 22:03:12 -0800
Message-ID: <AC1CFD94F59A264488DC2BEC3E890DE50951355D@xmb-sjc-225.amer.cisco.com>
In-Reply-To: <4B2BDCAC.1040802@bolyard.me>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [TLS] Summarizing identity change discussion so far
Thread-Index: AcqAGzeDAkldwC8qQjWRqwGgxqQqxQAVK08Q
References: <Acp35q+5MB/IK2o8TM+TSRCqs64JxA==><808FD6E27AD4884E94820BC333B2DB774F31A4FD08@NOK-EUMSG-01.mgdnok.nokia.com><6b9359640912171337j7ed5be63gf431e0fb12070944@mail.gmail.com> <808FD6E27AD4884E94820BC333B2DB774F31F77BDC@NOK-EUMSG-01.mgdnok.nokia.com><AC1CFD94F59A264488DC2BEC3E890DE5095131C5@xmb-sjc-225.amer.cisco.com> <4B2BDCAC.1040802@bolyard.me>
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: Nelson B Bolyard <nelson@bolyard.me>, IETF TLS Working Group <tls@ietf.org>
X-OriginalArrivalTime: 19 Dec 2009 06:03:13.0679 (UTC) FILETIME=[F31AC1F0:01CA8070]
Subject: Re: [TLS] Summarizing identity change discussion so far
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Dec 2009 06:03:29 -0000

 

> -----Original Message-----
> From: tls-bounces@ietf.org [mailto:tls-bounces@ietf.org] On 
> Behalf Of Nelson B Bolyard
> Sent: Friday, December 18, 2009 11:49 AM
> To: IETF TLS Working Group
> Subject: Re: [TLS] Summarizing identity change discussion so far
> 
> On 2009-12-17 23:27 PST, Joseph Salowey (jsalowey) wrote:
> > I share the opinion that identity checking belongs in the 
> application, 
> > performed according to whatever mechanism is appropriate.  
> We should 
> > not be mandating any particular PKIX processing in the TLS specs.
> > 
> > I also think if an application is not prepared to be aware of 
> > renegotiation and handle any identity change associated 
> with it then 
> > renegotiation should be disabled.  This implies that renegotiation 
> > should be disabled by default and specifically enabled by an 
> > application.  So I would say
> > 
> > "TLS implementations SHOULD disable renegotiation by 
> default and offer 
> > the applications the option to enable renegotiation.  When an 
> > application enables renegotiation it must handle identity 
> processing 
> > for each handshake."
> 
> With my Idealist hat on, I agree with that 100%.  But after 
> 13.25 years of working on SSL/TLS libraries, I know that 98+% 
> of the app developers who use TLS have no idea what that 
> means or how to do it.  IMO, they are likely to just call a 
> function for each handshake that does the same thing as for 
> the first handshake, validating the cert chain and (if we're
> lucky) checking that some aspect of the cert contains some 
> expected name, without any regard to what prior certificates 
> may have contained.
>
>
> So, IMO, it makes sense of TLS implementations to offer some 
> sort of "default" handling of certs to attempt to ensure 
> continuity of identity in the absence of something much 
> better from the application.  I'd suggest that, unless the 
> applications direct them to do otherwise, perhaps by 
> registering some callback, TLS implementations should check 
> that the cert in a renegotiation is the same one as in the 
> previous full handshake, either by memcmp of the entire cert, 
> or by memcmp of the subject name and
> subjectAltName (if any).   Anything less will ensure that 
> most apps continue
> to get this wrong, IMO.

[Joe] So ideally renegotiation would be disabled (perhaps after the
client is authenticated in a TLS handshake) unless application enables
it.   The TLS implementation can implement some policy on how to match
identity from on handshake to the next, but I'm not confident that any
single specific policy  will be the right policy for different
applications and deployments. 

> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>