Re: [TLS] something something certificate --- boiling a small lake

Nico Williams <nico@cryptonector.com> Fri, 26 June 2020 22:43 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FA983A0D01 for <tls@ietfa.amsl.com>; Fri, 26 Jun 2020 15:43:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TpVCw0HSLiQm for <tls@ietfa.amsl.com>; Fri, 26 Jun 2020 15:43:47 -0700 (PDT)
Received: from aye.elm.relay.mailchannels.net (aye.elm.relay.mailchannels.net [23.83.212.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED3C63A0CFD for <tls@ietf.org>; Fri, 26 Jun 2020 15:43:46 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 100594017FB; Fri, 26 Jun 2020 22:43:46 +0000 (UTC)
Received: from pdx1-sub0-mail-a15.g.dreamhost.com (100-96-1-7.trex.outbound.svc.cluster.local [100.96.1.7]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 6E5864011B3; Fri, 26 Jun 2020 22:43:45 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a15.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.18.8); Fri, 26 Jun 2020 22:43:45 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Grain-Hook: 7720d93a1c33550b_1593211425723_3222865382
X-MC-Loop-Signature: 1593211425722:126160701
X-MC-Ingress-Time: 1593211425722
Received: from pdx1-sub0-mail-a15.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a15.g.dreamhost.com (Postfix) with ESMTP id 0F6227F08A; Fri, 26 Jun 2020 15:43:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=EX5Eqj0NR2U6xf r+1XeFGBaSUXk=; b=eXOjK4l/lXcxoP7wstFSWCTV7HRVy4z1xeVQg+OqKz8PzM w30QjN/XOmwU1fp8/Rze5QHMG2GK3gWJ5THrbjU9BcAtXRGsFWAethyhhV2x6cB0 OMc5NERUexuziyEcaw6mRXWQWc70tRLp0xUZOPD3nSiF9YCteRVdqM3BCWF3M=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a15.g.dreamhost.com (Postfix) with ESMTPSA id 78DC17F088; Fri, 26 Jun 2020 15:43:40 -0700 (PDT)
Date: Fri, 26 Jun 2020 17:43:37 -0500
X-DH-BACKEND: pdx1-sub0-mail-a15
From: Nico Williams <nico@cryptonector.com>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, Brian Campbell <bcampbell@pingidentity.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>, "tls@ietf.org" <tls@ietf.org>
Message-ID: <20200626224336.GY3100@localhost>
References: <6663.1592585417@localhost> <20200625234212.GV3100@localhost> <20929.1593210591@localhost> <FD792EC9-0DE4-4C07-88D3-DA3E9E6BB37C@akamai.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <FD792EC9-0DE4-4C07-88D3-DA3E9E6BB37C@akamai.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: -100
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeduhedrudelvddgudegucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuggftfghnshhusghstghrihgsvgdpffftgfetoffjqffuvfenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepfffhvffukfhfgggtuggjfgesthdtredttdervdenucfhrhhomheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqeenucggtffrrghtthgvrhhnpefftdektefhueetveeigfefgeejteejvdfhhefgvddtfeeujeehleeguefhgffhgfenucfkphepvdegrddvkedruddtkedrudekfeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehlohgtrghlhhhoshhtpdhinhgvthepvdegrddvkedruddtkedrudekfedprhgvthhurhhnqdhprghthheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqedpmhgrihhlfhhrohhmpehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmpdhnrhgtphhtthhopehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhm
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/fdYwpzIbG9OF68hD65bO9Pvsg58>
Subject: Re: [TLS] something something certificate --- boiling a small lake
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jun 2020 22:43:48 -0000

On Fri, Jun 26, 2020 at 10:41:02PM +0000, Salz, Rich wrote:
> >    What has been pointed out is that TLS can renegotiate client
> >    authentication.
> 
> Not in TLS 1.3.  And with TLS 1.0 and TLS 1.1 on their way out the
> door ... 

That's what I thought.  So there's just the header compression issue.

BTW, this also comes up with cookies, tokens, etc.

Nico
--