Re: [TLS] User Defined Key Pair
Juho Vähä-Herttua <juhovh@iki.fi> Tue, 25 June 2013 07:57 UTC
Return-Path: <juhovh@iki.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C705D21F99A7 for <tls@ietfa.amsl.com>; Tue, 25 Jun 2013 00:57:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.903
X-Spam-Level:
X-Spam-Status: No, score=-0.903 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, MIME_QP_LONG_LINE=1.396]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pewOOSd+5cTM for <tls@ietfa.amsl.com>; Tue, 25 Jun 2013 00:57:07 -0700 (PDT)
Received: from jenni2.inet.fi (mta-out.inet.fi [195.156.147.13]) by ietfa.amsl.com (Postfix) with ESMTP id 97ACB21F8842 for <tls@ietf.org>; Tue, 25 Jun 2013 00:57:06 -0700 (PDT)
Received: from [10.48.168.207] (188.238.43.207) by jenni2.inet.fi (8.5.140.03) id 51BB235B00D18A02; Tue, 25 Jun 2013 10:57:03 +0300
References: <CALxQUYGdagDHr+A4EKN5qPD1jZG+dH8PHwb0-fKJVUN_vC1MSg@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711B251EE97@USMBX1.msg.corp.akamai.com> <CALxQUYGpcKPOAoZ8J56AoUGx8B3JhdmMche8MdQuqD_S=Y22ZQ@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711B251EF0E@USMBX1.msg.corp.akamai.com> <CALxQUYF1=oFBk=WZFoey+28j7MV7YvSkAD-YzJSeQ0Dp7uXmEA@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711B251EFFF@USMBX1.msg.corp.akamai.com> <CALxQUYH-4HR7sO2jfxQnbro6+xM5hD_hdW-K_a-Esd9yiZ+oug@mail.gmail.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <CALxQUYH-4HR7sO2jfxQnbro6+xM5hD_hdW-K_a-Esd9yiZ+oug@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-Id: <F4FD7A8A-4801-46B3-87B1-5CB1FB0CDE55@iki.fi>
X-Mailer: iPhone Mail (10B329)
From: Juho Vähä-Herttua <juhovh@iki.fi>
Date: Tue, 25 Jun 2013 10:56:50 +0300
To: "OMAR HASSAN (RIT Student)" <omh1835@rit.edu>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] User Defined Key Pair
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jun 2013 07:57:12 -0000
This discussion forced me to take a look at the draft. The whole security of the system seems to be dependant on the security of the "browser plugin" and its key generation and encryption algorithms, which are not defined in the draft. I don't see how this could possibly be an interoperable standard as it is. On 25.6.2013, at 0.29, "OMAR HASSAN (RIT Student)" <omh1835@rit.edu> wrote: > When the user enrolls into one of those websites, and let's say he will go with the second option of using a usb as a second factor authentication, where the password is something he knows, and the usb is something he has. What if someone detects this enrollment and sends a new public key for the user before the user has time to fill all the fields? Sounds like a race condition to me. > Self signed certificate is very dangerous because the user will not have a way to verify the identity of the certificate owner and he could be a victim to a man in the middle attack. But at least the keys are generated using a truly random seed, instead of part of the seed being predictable (username, password, security question) which actually sounds worse to me. I don't see how this is different from generating a self signed client cert and verifying it with for example HMAC with username+password+question derived secret. If you already need a custom browser plugin to handle the login, you can put all your custom logic there and use standard TLS for the rest. Juho
- [TLS] User Defined Key Pair OMAR HASSAN (RIT Student)
- Re: [TLS] User Defined Key Pair Salz, Rich
- Re: [TLS] User Defined Key Pair OMAR HASSAN (RIT Student)
- Re: [TLS] User Defined Key Pair Salz, Rich
- Re: [TLS] User Defined Key Pair OMAR HASSAN (RIT Student)
- Re: [TLS] User Defined Key Pair Salz, Rich
- Re: [TLS] User Defined Key Pair OMAR HASSAN (RIT Student)
- Re: [TLS] User Defined Key Pair Stephan T.
- Re: [TLS] User Defined Key Pair Juho Vähä-Herttua
- Re: [TLS] User Defined Key Pair Robert Cragie
- Re: [TLS] User Defined Key Pair Salz, Rich
- Re: [TLS] User Defined Key Pair OMAR HASSAN (RIT Student)
- Re: [TLS] User Defined Key Pair Paras Shah
- Re: [TLS] User Defined Key Pair Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] User Defined Key Pair OMAR HASSAN (RIT Student)
- Re: [TLS] User Defined Key Pair Hannes Tschofenig
- Re: [TLS] User Defined Key Pair OMAR HASSAN (RIT Student)
- Re: [TLS] User Defined Key Pair OMAR HASSAN (RIT Student)
- Re: [TLS] User Defined Key Pair Juho Vähä-Herttua
- Re: [TLS] User Defined Key Pair Juho Vähä-Herttua
- Re: [TLS] User Defined Key Pair OMAR HASSAN (RIT Student)
- Re: [TLS] User Defined Key Pair Paras Shah
- Re: [TLS] User Defined Key Pair Dan Harkins
- Re: [TLS] User Defined Key Pair OMAR HASSAN (RIT Student)
- Re: [TLS] User Defined Key Pair Dan Harkins
- Re: [TLS] User Defined Key Pair Alex Elsayed
- Re: [TLS] User Defined Key Pair OMAR HASSAN (RIT Student)
- Re: [TLS] User Defined Key Pair OMAR HASSAN (RIT Student)