Re: [TLS] [CHANNEL-BINDING] Updates to draft-altman-tls-channel-bindings (PLEASE REVIEW)

Nicolas Williams <Nicolas.Williams@sun.com> Fri, 19 March 2010 23:30 UTC

Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 237FA3A6A91; Fri, 19 Mar 2010 16:30:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.313
X-Spam-Level:
X-Spam-Status: No, score=-5.313 tagged_above=-999 required=5 tests=[AWL=0.155, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rFmEAWiQCwjj; Fri, 19 Mar 2010 16:30:12 -0700 (PDT)
Received: from rcsinet11.oracle.com (rcsinet11.oracle.com [148.87.113.123]) by core3.amsl.com (Postfix) with ESMTP id 23FDB3A6A8C; Fri, 19 Mar 2010 16:30:12 -0700 (PDT)
Received: from acsinet15.oracle.com (acsinet15.oracle.com [141.146.126.227]) by rcsinet11.oracle.com (Switch-3.4.2/Switch-3.4.2) with ESMTP id o2JNUNNv009641 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 19 Mar 2010 23:30:24 GMT
Received: from acsmt353.oracle.com (acsmt353.oracle.com [141.146.40.153]) by acsinet15.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id o2JNULRX002101; Fri, 19 Mar 2010 23:30:21 GMT
Received: from abhmt018.oracle.com by acsmt354.oracle.com with ESMTP id 96659851269041413; Fri, 19 Mar 2010 16:30:13 -0700
Received: from Sun.COM (/129.153.128.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 19 Mar 2010 16:30:12 -0700
Date: Fri, 19 Mar 2010 18:30:05 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Simon Josefsson <simon@josefsson.org>
Message-ID: <20100319233005.GY18167@Sun.COM>
References: <20100317231522.GA18167@Sun.COM> <87zl243czl.fsf@mocca.josefsson.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <87zl243czl.fsf@mocca.josefsson.org>
User-Agent: Mutt/1.5.20 (2010-03-02)
X-Source-IP: acsmt353.oracle.com [141.146.40.153]
X-Auth-Type: Internal IP
X-CT-RefId: str=0001.0A090203.4BA4090E.0148,ss=1,fgs=0
Cc: channel-binding@ietf.org, tls@ietf.org, sasl@ietf.org
Subject: Re: [TLS] [CHANNEL-BINDING] Updates to draft-altman-tls-channel-bindings (PLEASE REVIEW)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Mar 2010 23:30:13 -0000

On Fri, Mar 19, 2010 at 09:57:34AM +0100, Simon Josefsson wrote:
> Nicolas Williams <Nicolas.Williams@sun.com> writes:
> 
> > +   Description: The first TLS Finished message sent (note: the Finished
> > +   struct) in the most recent TLS handshake of the TLS connection being
> > +   bound to (note: TLS connection, not session, so that the channel
> > +   binding is specific to each connection regardless of whether session
> > +   resumption is used).  If TLS re-negotiation takes place before the
> > +   channel binding operation, then the first TLS Finished message sent
> > +   of the latest/inner-most TLS connection is used.  Note that for full
> > +   TLS handshakes the first Finished message is sent by the client,
> > +   while for abbreviated TLS handshakes the first Finished message is
> > +   sent by the server.
> 
> I don't follow this fully -- IF you use the latest TLS finished message,
> the channel binding data WILL be specific the each TLS session, and it
> will depend on whether the session is resumed or not, which is contrary
> to this assertion:

No, the _first_ finished message of the _latest_ handshake.  That's what
Larry says MSFT implemented.  I still don't know if that's just for
HTTP/Negotiate or what.

> > +   bound to (note: TLS connection, not session, so that the channel
> > +   binding is specific to each connection regardless of whether session
> > +   resumption is used).  If TLS re-negotiation takes place before the
> 
> I wonder what happens if a TLS re-negotiation happens after the client
> started its authentication attempt (for GS2-KRB5: sent the AP-REQ) but
> before the server has responded (for GS2-KRB5: sent the AP-REP)?  Then
> authentication will fail, it seems, because the client and server will
> have different ideas of what the channel binding data should be.

Good question.  That's one reason to use the first handshake.