RE: [TLS] Comments on TLS identity protection
Peter Williams <home_pw@msn.com> Wed, 20 December 2006 09:08 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GwxQh-0001iN-VD; Wed, 20 Dec 2006 04:08:03 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GwxQg-0001fB-6G for tls@ietf.org; Wed, 20 Dec 2006 04:08:02 -0500
Received: from bay0-omc3-s33.bay0.hotmail.com ([65.54.246.233]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GwxQd-00005d-Ot for tls@ietf.org; Wed, 20 Dec 2006 04:08:02 -0500
Received: from BAY103-W5 ([65.54.174.105]) by bay0-omc3-s33.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Wed, 20 Dec 2006 01:07:59 -0800
X-Originating-IP: [69.227.152.254]
X-Originating-Email: [home_pw@msn.com]
Message-ID: <BAY103-W52E7A44762FB70257801C92CF0@phx.gbl>
From: Peter Williams <home_pw@msn.com>
To: martin.rex@sap.com, Eric Rescorla <ekr@networkresonance.com>
Subject: RE: [TLS] Comments on TLS identity protection
Date: Wed, 20 Dec 2006 01:07:59 -0800
MIME-Version: 1.0
X-OriginalArrivalTime: 20 Dec 2006 09:07:59.0157 (UTC) FILETIME=[583C3650:01C72416]
X-Spam-Score: 2.6 (++)
X-Scan-Signature: a87a9cdae4ac5d3fbeee75cd0026d632
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0382711881=="
Errors-To: tls-bounces@lists.ietf.org
Microsoft has a long history of exploiting this feature, in various ways. Actually goes back to their own PCT proposal, when they were differentiating its features from SSLv2. Fascinating to see this all being "reinvented/reargued" 10 years after it was all debated the first time around. Though, there is a big difference between the then (web culture) and now (internet culture). Very different tone. > From: martin.rex@sap.com> Subject: Re: [TLS] Comments on TLS identity protection> To: ekr@networkresonance.com> Date: Tue, 19 Dec 2006 22:00:29 +0100> CC: tls@ietf.org> > Eric Rescorla wrote:> > > > The good news is that TLS has a very simple mechanism for achieving> > this: do an ordinary TLS handshake without client authentication> > and then do an immediate re-handshake with client auth. As the > > authors observe, this is slower (two sets of crypto computations> > and 4 RTTs) than a specialized identity protection mode. However,> > it is available now and as far as I can tell is rarely done.> > I don't find the argument that there is a large demand for this> > feature if it were only 50% faster particularly persuasive.> > Rather, this seems like a premature optimization.> > It is not as rare as you might think. It is actually the> default in Microsoft's IIS with some configurations that> IIS only requests SSL client authentication after> having seen the request (URL). It might be a side-effect> of NOT requiring SSL client authentication on the root/home> page of the webserver and only for certain areas/paths.> > > -Martin> > _______________________________________________> TLS mailing list> TLS@lists.ietf.org> https://www1.ietf.org/mailman/listinfo/tls _________________________________________________________________ Type your favorite song. Get a customized station. Try MSN Radio powered by Pandora. http://radio.msn.com
_______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection badra
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection Kyle Hamilton
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Peter Williams
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- RE: [TLS] Comments on TLS identity protection Peter Williams
- RE: [TLS] Comments on TLS identity protection Peter Williams
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Pasi.Eronen
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Pasi.Eronen
- Re: [TLS] Comments on TLS identity protection Bodo Moeller
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Pasi.Eronen
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Pasi.Eronen
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- RE: [TLS] Comments on TLS identity protection Peter Williams
- Re: [TLS] Comments on TLS identity protection badra
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection badra
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection Badra
- Re: [TLS] Comments on TLS identity protection Omirjan Batyrbaev
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection EKR
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection Martin Rex
- RE: [TLS] Comments on TLS identity protection Peter Williams
- Re: [TLS] Comments on TLS identity protection EKR
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection EKR
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection EKR
- Re: [TLS] Comments on TLS identity protection home_pw