RE: [TLS] RE: RFC 4507bis (Joseph Salowey (jsalowey))
"Joseph Salowey \(jsalowey\)" <jsalowey@cisco.com> Mon, 20 August 2007 03:42 UTC
Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IMy9R-0006H5-3Q; Sun, 19 Aug 2007 23:42:01 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IMy9P-0006Gz-Lj for tls@lists.ietf.org; Sun, 19 Aug 2007 23:41:59 -0400
Received: from sj-iport-6.cisco.com ([171.71.176.117]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IMy9O-0008Se-Hd for tls@lists.ietf.org; Sun, 19 Aug 2007 23:41:59 -0400
Received: from sj-dkim-4.cisco.com ([171.71.179.196]) by sj-iport-6.cisco.com with ESMTP; 19 Aug 2007 20:41:58 -0700
X-IronPort-AV: i="4.19,283,1183359600"; d="scan'208"; a="202861920:sNHT60768864"
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-4.cisco.com (8.12.11/8.12.11) with ESMTP id l7K3fv4B027930; Sun, 19 Aug 2007 20:41:57 -0700
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id l7K3fvF4008749; Mon, 20 Aug 2007 03:41:57 GMT
Received: from xmb-sjc-225.amer.cisco.com ([128.107.191.38]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Sun, 19 Aug 2007 20:41:57 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [TLS] RE: RFC 4507bis (Joseph Salowey (jsalowey))
Date: Sun, 19 Aug 2007 20:41:58 -0700
Message-ID: <AC1CFD94F59A264488DC2BEC3E890DE504578691@xmb-sjc-225.amer.cisco.com>
In-Reply-To: <1D526804BA83A2459C60E28CA73ABD9001FC9DE0@TUS1XCHCLUPIN03.enterprise.veritas.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [TLS] RE: RFC 4507bis (Joseph Salowey (jsalowey))
Thread-Index: AcfUVRePRd0P445dQU+ceHtZv6t9ngAFZLyAA5xQI0A=
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: Mark Tillinghast <Mark_Tillinghast@symantec.com>, tls@lists.ietf.org
X-OriginalArrivalTime: 20 Aug 2007 03:41:57.0345 (UTC) FILETIME=[0EDDD510:01C7E2DC]
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=8942; t=1187581317; x=1188445317; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jsalowey@cisco.com; z=From:=20=22Joseph=20Salowey=20\(jsalowey\)=22=20<jsalowey@cisco.com> |Subject:=20RE=3A=20[TLS]=20RE=3A=20=20RFC=204507bis=20(Joseph=20Salowey= 20(jsalowey)) |Sender:=20; bh=1/mzejx7zIUSdRIMxIlB3NSQeX7VWLYwEiEEIWF9IIw=; b=H0drsr7AzXZV6+wAW9cv6RUM5dfZZq9SB8zeP1iD+L77KNCUKZRbQr58MmlxM6lqkFGhS4ws 6ZWIaaZ8mzvJSPAqq+UL6YEU8bmlgslbEJjvBnoy42kv+G25mBd+QXHJ;
Authentication-Results: sj-dkim-4; header.From=jsalowey@cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; );
X-Spam-Score: -4.0 (----)
X-Scan-Signature: 187ae6c2eea74946c0ab707161f6256d
Cc:
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Does anyone object to changing the example ticket integrity to HMAC-SHA-256? If not I'll look into getting this done. Joe > -----Original Message----- > From: Mark Tillinghast [mailto:Mark_Tillinghast@symantec.com] > Sent: Wednesday, August 01, 2007 11:46 AM > To: tls@lists.ietf.org > Subject: [TLS] RE: RFC 4507bis (Joseph Salowey (jsalowey)) > > Hi Joe, > > I am very concerned about sha1 vs sha256. > I have two different certificates with the same signature > complements of Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu. > > Nist guidance I think is along the lines of moving forward, > SHA-256 should be used, TLS 1.2 is a big part of the moving forward. > > To quote Bruce Schneier quoting the NSA "Attacks get better; > they never get worse." > > Mark > > > -----Original Message----- > From: tls-request@lists.ietf.org [mailto:tls-request@lists.ietf.org] > Sent: Wednesday, August 01, 2007 9:00 AM > To: tls@lists.ietf.org > Subject: TLS Digest, Vol 37, Issue 1 > > Send TLS mailing list submissions to > tls@lists.ietf.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://www1.ietf.org/mailman/listinfo/tls > or, via email, send a message with subject or body 'help' to > tls-request@lists.ietf.org > > You can reach the person managing the list at > tls-owner@lists.ietf.org > > When replying, please edit your Subject line so it is more > specific than > "Re: Contents of TLS digest..." > > > Today's Topics: > > 1. RE: RFC 4507bis (Joseph Salowey (jsalowey)) > 2. Re: RFC 4507bis (Mike) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 31 Jul 2007 22:17:02 -0700 > From: "Joseph Salowey \(jsalowey\)" <jsalowey@cisco.com> > Subject: RE: [TLS] RFC 4507bis > To: "Mike" <mike-list@pobox.com>, <tls@ietf.org> > Message-ID: > > <AC1CFD94F59A264488DC2BEC3E890DE5043F329D@xmb-sjc-225.amer.cisco.com> > Content-Type: text/plain; charset="us-ascii" > > Hi Mike, > > Thanks for reviewing the document, comments inline below: > > > -----Original Message----- > > From: Mike [mailto:mike-list@pobox.com] > > Sent: Sunday, July 29, 2007 9:58 AM > > To: tls@ietf.org > > Subject: [TLS] RFC 4507bis > > > > I'm working on adding support for RFC 4507 to my code and > have found a > > > few issues with the draft. > > > > - Should the NewSessionTicket message be included > > in the hash used to create/verify the Finished > > message. I believe it should since it's a > > handshake message, but it's not stated anywhere. > > I think it would be a good idea to specifically > > state that it is. > > > [Joe]It is part of the TLS hello message and is therefore > included in the finished message. This is part of the TLS > extensions spec. I'm not sure we need to clarify it here. > > > > - Is it legal for the server to resume a session > > and not provide a NewSessionTicket? The message > > flow I'm referring to would look like this: > > > > Client Server > > ClientHello > > (SessionTicket extension) --> > > ServerHello > > (no SessionTicket extension) > > [ChangeCipherSpec] > > <-- Finished > > [ChangeCipherSpec] > > Finished --> > > Application Data <-> Application Data > > > > If this is not allowed, it should probably be > > stated that when a server resumes a session using > > a SessionTicket, it MUST send an empty Session > > Ticket extension and a NewSessionTicket message > > (optionally with an empty ticket). > > > [Joe] It is legal to not provide a new session ticket if you > do not provide an empty session ticket extension from the > server. However if you include an empty session ticket > extension from the server you must provide a NewSessionTicket > message (which may be empty). Some other reviewers have had > similar comments, is there a place where the text could be clearer? > > > - It may be useful to state that the MAC computation > > in the ticket is over the encrypted contents to > > be able to quickly reject a ticket and not have to > > perform a decryption first. > > > [Joe] This is a implementation detail that I'm not sure we > need to go into in the specification. > > > - Should HMAC-SHA256 be recommended instead of > > HMAC-SHA1? > > > [Joe] I was under the impression that most people were OK with > HMAC-SHA-1 use for the foreseeable future. If this is not > the case we can probably change it to HMAC-SHA-256. > > > - StatePlaintext needs more data fields when TLS > > extensions are used such as max fragment length. > > This should be obvious, but it wouldn't hurt to > > state. > > > > Mike > > > > _______________________________________________ > > TLS mailing list > > TLS@lists.ietf.org > > https://www1.ietf.org/mailman/listinfo/tls > > > > > > ------------------------------ > > Message: 2 > Date: Wed, 01 Aug 2007 07:43:55 -0700 > From: Mike <mike-list@pobox.com> > Subject: Re: [TLS] RFC 4507bis > To: tls@ietf.org > Message-ID: <46B09C2B.70609@pobox.com> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > >> - Should the NewSessionTicket message be included > >> in the hash used to create/verify the Finished > >> message. I believe it should since it's a > >> handshake message, but it's not stated anywhere. > >> I think it would be a good idea to specifically > >> state that it is. > >> > > [Joe]It is part of the TLS hello message and is therefore > included in > > the finished message. This is part of the TLS extensions > spec. I'm > > not sure we need to clarify it here. > > I was referring to the NewSessionTicket message sent by the > server to the client just before ChangeCipherSpec. > I think you should state that it is included in the hash used > to create/verify the Finished messages. > > >> - Is it legal for the server to resume a session > >> and not provide a NewSessionTicket? The message > >> flow I'm referring to would look like this: > >> > >> Client Server > >> ClientHello > >> (SessionTicket extension) --> > >> ServerHello > >> (no SessionTicket extension) > >> [ChangeCipherSpec] > >> <-- Finished > >> [ChangeCipherSpec] > >> Finished --> > >> Application Data <-> Application Data > >> > >> If this is not allowed, it should probably be > >> stated that when a server resumes a session using > >> a SessionTicket, it MUST send an empty Session > >> Ticket extension and a NewSessionTicket message > >> (optionally with an empty ticket). > >> > > [Joe] It is legal to not provide a new session ticket if you do not > > provide an empty session ticket extension from the server. > However if > > you include an empty session ticket extension from the > server you must > > > provide a NewSessionTicket message (which may be empty). > Some other > > reviewers have had similar comments, is there a place where > the text > > could be clearer? > > The message flow diagram in the draft that shows session > resumption has the server send an empty SessionTicket > extension. If the message flow above is also allowed (where > no SessionTicket extension is sent by the server), then I > think you should include the diagram in the spec. > > > [Joe] I was under the impression that most people were OK with > > HMAC-SHA-1 use for the foreseeable future. If this is not > the case we > > > can probably change it to HMAC-SHA-256. > > I will leave that up to the experts to decide, but will use > SHA-256 in my code in any case. > > Mike > > > > ------------------------------ > > _______________________________________________ > TLS mailing list > TLS@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/tls > > > End of TLS Digest, Vol 37, Issue 1 > ********************************** > > _______________________________________________ > TLS mailing list > TLS@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/tls > _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] RE: RFC 4507bis (Joseph Salowey (jsalowey)) Mark Tillinghast
- RE: [TLS] RE: RFC 4507bis (Joseph Salowey (jsalow… Joseph Salowey (jsalowey)