Re: [TLS] [CHANNEL-BINDING] RESOLVED (Re: [sasl] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard))

Sam Hartman <> Wed, 04 November 2009 19:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 804CE3A6914; Wed, 4 Nov 2009 11:00:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.251
X-Spam-Status: No, score=-3.251 tagged_above=-999 required=5 tests=[AWL=-0.986, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id H95GKtKOJyTe; Wed, 4 Nov 2009 11:00:05 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id ACBD53A6911; Wed, 4 Nov 2009 11:00:05 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by (Postfix) with ESMTPS id 57C3920205; Wed, 4 Nov 2009 14:00:23 -0500 (EST)
Received: by (Postfix, from userid 8042) id 2E52643BE; Wed, 4 Nov 2009 14:00:20 -0500 (EST)
To: Nicolas Williams <>
References: <> <> <20091030223647.GO1105@Sun.COM> <> <> <20091104182704.GA1105@Sun.COM>
From: Sam Hartman <>
Date: Wed, 04 Nov 2009 14:00:20 -0500
In-Reply-To: <20091104182704.GA1105@Sun.COM> (Nicolas Williams's message of "Wed\, 4 Nov 2009 12\:27\:04 -0600")
Message-ID: <>
User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: Re: [TLS] [CHANNEL-BINDING] RESOLVED (Re: [sasl] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard))
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 04 Nov 2009 19:00:06 -0000

>>>>> "Nicolas" == Nicolas Williams <> writes:

    Nicolas> On Wed, Nov 04, 2009 at 10:24:29AM -0800, Michael D'Errico wrote:
    >> I don't pretend to know exactly what this feature is supposed
    >> to do, but I think using the word "connection" would be a
    >> mistake given its widespread use meaning TCP connections, etc.

    Nicolas> At least the word 'connection' is used in RFC5246 _some_
    Nicolas> times to mean what we were using it to mean here.

Sanity check here: For the most part, there is a one-to-one mapping
between what we're talking about and TCP connections, right?  In
particular, for most applications, even applications with multiple
finish messages, grabbing the first finish message from a TCP
connection gives exactly the one we want.  Am I correctly
understanding our goal?

If so, this sounds fairly pedantic.  Pedantic is not bad--we should
get it to be correct.  However for most app developers, it seems that
if they assume connection means tcp connection, the right thing will
happen.  If that's not true, then we have a lot of explaining to do,
because if I'm confused, then this is a hard problem to explain.