Re: [TLS] Summarizing identity change discussion so far
Marsh Ray <marsh@extendedsubset.com> Wed, 09 December 2009 22:59 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 165763A67EB for <tls@core3.amsl.com>; Wed, 9 Dec 2009 14:59:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.595
X-Spam-Level:
X-Spam-Status: No, score=-2.595 tagged_above=-999 required=5 tests=[AWL=0.004, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OC-gzSHAfl82 for <tls@core3.amsl.com>; Wed, 9 Dec 2009 14:59:40 -0800 (PST)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 3296C3A680F for <tls@ietf.org>; Wed, 9 Dec 2009 14:59:40 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1NIVVI-000MvP-NQ; Wed, 09 Dec 2009 22:59:28 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 7FDAE603A; Wed, 9 Dec 2009 22:59:27 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1/ABt8eWND4kJvse0b5O6HiEvyk62XZH54=
Message-ID: <4B202BCD.40500@extendedsubset.com>
Date: Wed, 09 Dec 2009 16:59:25 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Pasi.Eronen@nokia.com
References: <808FD6E27AD4884E94820BC333B2DB774F31A4FD08@NOK-EUMSG-01.mgdnok.nokia.com> <4B1E4E10.90201@cs.tcd.ie> <808FD6E27AD4884E94820BC333B2DB774F31D235DE@NOK-EUMSG-01.mgdnok.nokia.com> <4B1E786A.7070100@extendedsubset.com> <808FD6E27AD4884E94820BC333B2DB774F31D2391E@NOK-EUMSG-01.mgdnok.nokia.com>
In-Reply-To: <808FD6E27AD4884E94820BC333B2DB774F31D2391E@NOK-EUMSG-01.mgdnok.nokia.com>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] Summarizing identity change discussion so far
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Dec 2009 22:59:41 -0000
Hello all, I'm wearing a warm red and gray hat today. Pasi.Eronen@nokia.com wrote: > Marsh Ray wrote: > >>> and can cause security vulnerabilities for some of them. >> Do we know of any examples? I can only think of some very subtle and >> hypothetical ones that require client and server apps that are already >> coded for switching identities intentionally. > [...] > > I guess an even worse example would be something like this: > > conn = openTlsConnection(host, port) > if not verifyCertChain(conn.getPeerCert()): > raise "Not a valid cert" > if conn.getPeerCert().getName() != expected_name: > raise "Name in certificate doesn't match" > # continue... _After_ renegotation is fixed (and/or disabled by default) though, how is this a problem? RI proves the data has come from the same remote endpoint. That same remote endpoint has proven that he can supply an acceptable cert, too. In order for this example to be a problem, the legitimate client would have to renegotiate specifically for the purpose of dropping certain cert credentials. This would seem to imply that the application code was expecting cert changes. This is not to say that there's no application that could be confused by such a change, only that I haven't seen any real examples. Nelson suggested a test tool used internally with NSS might do something agressive with certs and renegotiation like that. I don't think it's inherently broken. It seems reasonable to me for one party to say "By the initial handshake and two subsequent renegotiations I have proven posession of the private keys for these three certificates". With renegotiation fixed, credentials supplied on different handshakes may legitimately be treated as additive. This is how https client certificates often work: an initial anon-client connection adds a client cert to the connection by renegotiating. The actual credentials policy should be documented as part of the app protocol on top of TLS. Most of them would document "no renegotiation" and I think that should be the default for implementations. > Most TLS libraries seem to support both callback and get() style > functions for accessing/checking certificates. Most script-language bindings to OpenSSL seem not to support the callback mechanism very well. Just a data point. > Although using the callback-style APIs might be more common (and in > some sence nicer, since it allows you to abort the handshake > a bit earlier -- but an app developer might not care about this very > much), I think it would be a surprise to most app developers that > using the get-style APIs might not be secure. > > (And I wouldn't be surprised at all if real applications using > those get() style APIs are found...) You know they exist when all example code for some very popular implementations and languages does it that way. - Marsh
- [TLS] Summarizing identity change discussion so f… Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] Summarizing identity change discussion … Stephen Farrell
- Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Eric Rescorla
- Re: [TLS] Summarizing identity change discussion … Marsh Ray
- Re: [TLS] Summarizing identity change discussion … Marsh Ray
- Re: [TLS] Summarizing identity change discussion … Martin Rex
- Re: [TLS] Summarizing identity change discussion … Stefan Santesson
- Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Martin Rex
- Re: [TLS] Summarizing identity change discussion … Michael Gray
- Re: [TLS] Summarizing identity change discussion … Marsh Ray
- Re: [TLS] Summarizing identity change discussion … Martin Rex
- Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Marsh Ray
- Re: [TLS] Summarizing identity change discussion … Martin Rex
- Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Kyle Hamilton
- Re: [TLS] Summarizing identity change discussion … Martin Rex
- Re: [TLS] Summarizing identity change discussion … Marsh Ray
- Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Michael Gray
- Re: [TLS] Summarizing identity change discussion … Martin Rex
- Re: [TLS] Summarizing identity change discussion … Michael Gray
- Re: [TLS] Summarizing identity change discussion … Marsh Ray
- Re: [TLS] Summarizing identity change discussion … Martin Rex
- Re: [TLS] Summarizing identity change discussion … Michael Gray
- Re: [TLS] Summarizing identity change discussion … Kyle Hamilton
- [TLS] OpenPGP Certs for TLS [was: Re: Summarizing… Daniel Kahn Gillmor
- Re: [TLS] Summarizing identity change discussion … Martin Rex
- Re: [TLS] Summarizing identity change discussion … Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] Summarizing identity change discussion … Kyle Hamilton
- Re: [TLS] Summarizing identity change discussion … Martin Rex
- Re: [TLS] Summarizing identity change discussion … Kyle Hamilton
- Re: [TLS] Summarizing identity change discussion … Peter Saint-Andre
- Re: [TLS] Summarizing identity change discussion … Peter Saint-Andre
- Re: [TLS] Summarizing identity change discussion … Peter Saint-Andre
- Re: [TLS] Summarizing identity change discussion … Peter Saint-Andre
- Re: [TLS] Summarizing identity change discussion … David-Sarah Hopwood
- Re: [TLS] Summarizing identity change discussion … Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] Summarizing identity change discussion … Marsh Ray
- Re: [TLS] Summarizing identity change discussion … Joseph Salowey (jsalowey)
- Re: [TLS] Summarizing identity change discussion … Stephen Farrell
- Re: [TLS] Summarizing identity change discussion … Martin Rex
- Re: [TLS] Summarizing identity change discussion … Nelson B Bolyard
- Re: [TLS] Summarizing identity change discussion … Nasko Oskov
- Re: [TLS] Summarizing identity change discussion … David-Sarah Hopwood
- Re: [TLS] Summarizing identity change discussion … David-Sarah Hopwood
- Re: [TLS] Summarizing identity change discussion … Joseph Salowey (jsalowey)
- Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Joseph Salowey (jsalowey)