IETF Logo Mail Archive

Re: [TLS] Summarizing identity change discussion so far

Marsh Ray <marsh@extendedsubset.com> Thu, 17 December 2009 22:01 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BB5563A6918 for <tls@core3.amsl.com>; Thu, 17 Dec 2009 14:01:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.591
X-Spam-Level:
X-Spam-Status: No, score=-2.591 tagged_above=-999 required=5 tests=[AWL=0.008, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D4-2aUsfg1tw for <tls@core3.amsl.com>; Thu, 17 Dec 2009 14:01:54 -0800 (PST)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id E194F3A6910 for <tls@ietf.org>; Thu, 17 Dec 2009 14:01:53 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1NLOPj-000KT2-3L; Thu, 17 Dec 2009 22:01:39 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id DA68D6678; Thu, 17 Dec 2009 22:01:37 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1/fNnlFdeWIH7deZvweevek7JusYt/okdE=
Message-ID: <4B2AAA40.3090804@extendedsubset.com>
Date: Thu, 17 Dec 2009 16:01:36 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Pasi.Eronen@nokia.com
References: <808FD6E27AD4884E94820BC333B2DB774F31A4FD08@NOK-EUMSG-01.mgdnok.nokia.com> <808FD6E27AD4884E94820BC333B2DB774F31F77BBB@NOK-EUMSG-01.mgdnok.nokia.com>
In-Reply-To: <808FD6E27AD4884E94820BC333B2DB774F31F77BBB@NOK-EUMSG-01.mgdnok.nokia.com>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] Summarizing identity change discussion so far
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2009 22:01:54 -0000

Looks great to me.

A few edit suggestions inline.

- Marsh

Pasi.Eronen@nokia.com wrote:
> Here's proposed text for the Security Considerations section about the
> identity changes. The discussion on the list seemed to favor keeping
> the normative parts quite mild, so much of this is worded as advice
> for people to consider (or ignore, if they so choose), not as strict 
> requirements:
> 
>    While this extension mitigates the man-in-the-middle attack
>    described in the overview, it does not resolve all possible
>    problems an application may face if it is unaware of renegotiation.
>    In particular, either the client or the server can during
     For example, during renegotiation either the client
     or the server can present...
>    renegotiation present a different certificate than was used
>    earlier, and this may become as a surprise to application
     earlier.     This may   come as a surprise
>    developers (who might have expected, for example, that a
>    "getPeerCertificates()" API call returns the same value if called
>    twice), and might be handled in an insecure way.
>    
>    TLS implementers are encouraged to clearly document how
>    renegotiation interacts with the APIs offered to applications (for
>    example, which API calls might return different values on different
>    calls, or which callbacks might get called multiple times).
> 
>    To make life simpler for applications that do not expect the peer's
>    certificate to change once it's been authentication, TLS
>    implementations MAY offer the applications the option abort the
how about: "are encouraged to offer" ?
>    renegotiation if the peer tries to authenticate with a different
>    certificate and/or different server name (in the server_name
>    extension) than was used earlier. However, enabling this option by
>    default for all applications could break existing applications that
>    depend on using renegotiation to present multiple certificates.

>    TLS implementations SHOULD also offer the applications the option
>    to disable renegotiation completely.
Consider moving this sentence above the MAY, perhaps in its own paragraph.

>    Finally, designers of applications that depend on renegotiation are
>    reminded that many TLS APIs represent application data as a simple
>    octet stream; applications may not be able to determine exactly
>    which application data octets were received before, during, or
>    after renegotiation. Especially if the peer presents a different 
>    certificate during renegotiation, care is needed when specifying
>    how the application should handle the data.

- Marsh

v2.23.0 | Report a Bug | By Email