IETF Logo Mail Archive

Re: [TLS] Removing restriction on cross-domain resumption

Martin Thomson <martin.thomson@gmail.com> Sat, 23 September 2017 01:15 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FE661243F6 for <tls@ietfa.amsl.com>; Fri, 22 Sep 2017 18:15:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qns6dfjsyPhD for <tls@ietfa.amsl.com>; Fri, 22 Sep 2017 18:15:53 -0700 (PDT)
Received: from mail-oi0-x22c.google.com (mail-oi0-x22c.google.com [IPv6:2607:f8b0:4003:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66C37124F57 for <TLS@ietf.org>; Fri, 22 Sep 2017 18:15:53 -0700 (PDT)
Received: by mail-oi0-x22c.google.com with SMTP id j126so752627oia.10 for <TLS@ietf.org>; Fri, 22 Sep 2017 18:15:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=jCzutHI2W4Fg/awQmzzOegf/UwoHNEpK9golDRE2jVM=; b=A5sEKRYfmIWAtRRagIW8I+Eol0dcmO6ky8lqyUvlETMJgW7YWML2q84w1pUvffmwnP GA6fh8X71LgZOlCntWoWlkM6Ud67LfqA0UuKDiyxGWgW+Oz9bbaz5nQEV13E6kIk+0Zd L9ABAV7rChm3RJ+X6YvWS5K4nOyMNJkEImk6REaaPRwu+12/qqYytD0ou8l2QPl5v40c 9Wc47sBvW2iTaqPPpAvV1ry0r9reB2u9ihFmc2LotNGNBayuRkhFpruJZJaDxOLVslZ7 WFSb/AQ45OuSYThXPIQS+wBDsropxYOzmYDLnYIlgahE8vS0vC9pt10Hr8LM+uIx1fwX qGXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=jCzutHI2W4Fg/awQmzzOegf/UwoHNEpK9golDRE2jVM=; b=RWA0gLJewN1w3PbxKyfcc337clEfayZyJNpO/QYD31awxnfq/PTy5Q3tRh0CmoT4LA DKhQB4Z/tW7n3gS0Da0uCk0YTuIebc2Hu4xpQS8LiPiJCO5YeNx0tpK41RGJUEbcFkiG EbwZPPk0QZGSRSXHTeW5Iy71WR755cTWSGLZBjfMnyuiPdtd5aghZW9JIr7CAdlVhqrG LqNO3m4CErXteiDpyz/PolRYqOtA5oRVXDpRlhpaN5AyvskxhriQ0nc2WplGxlFR2BNK 6zejfVrU0Go5bCw1EDMz8ScZMk04Ec3uen00HV7dgkxEXw6jAV3ObI/j/iBP21qrfaYr I83g==
X-Gm-Message-State: AHPjjUiaXlrYoneb/VYXX47uOX5muyzKvJxxLT23BoOcAyG0bqj36YjT +zyaKiBvMastYFaB4TRAdwPOJyyhzWs62OxKB6s=
X-Google-Smtp-Source: AOwi7QBoK55FJqfHfCNUTtoXg9C+TOfIynYHOlJBaUog/ZXxBfFoELeelfP2uOuLr3LP+2gWU2tsfjcxtT+kiYW/RFE=
X-Received: by 10.202.75.66 with SMTP id y63mr1134449oia.5.1506129352806; Fri, 22 Sep 2017 18:15:52 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.157.0.38 with HTTP; Fri, 22 Sep 2017 18:15:52 -0700 (PDT)
In-Reply-To: <CAH8yC8m=t4PMvrCo-68A4R7kft+CCtLBscEp_D3Z_Mn5C2Y1bA@mail.gmail.com>
References: <CAAZdMaeHTBw-2ZTzO5hzD==hywBBeEcOaofPm2wuNHy7LQxLpA@mail.gmail.com> <CAH8yC8m=t4PMvrCo-68A4R7kft+CCtLBscEp_D3Z_Mn5C2Y1bA@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Sat, 23 Sep 2017 11:15:52 +1000
Message-ID: <CABkgnnWPMCzi5v7m_hZEKCOisqMsggdKxq8gX+5vH6jtR5YgAA@mail.gmail.com>
To: noloader@gmail.com
Cc: Victor Vasiliev <vasilvv@google.com>, "tls@ietf.org" <TLS@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/iaBZfqdip_cptS67IMZ8_HZf3uA>
Subject: Re: [TLS] Removing restriction on cross-domain resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Sep 2017 01:15:55 -0000

On Fri, Sep 15, 2017 at 8:42 AM, Jeffrey Walton <noloader@gmail.com> wrote:
> The current models uses origins as a boundary, so they are different
> security contexts.

That's not relevant here.  A certificate allows a server to speak for
multiple origins.  The notion of an origin is, as you say, established
at a higher layer.  TLS establishes a broader notion of identity.

If you are interested in what origins a server might be authoritative
for and how those might be managed, see
http://httpwg.org/http-extensions/origin-frame.html

v2.23.0 | Report a Bug | By Email