IETF Logo Mail Archive

RE: [TLS] Comments on TLS identity protection

Peter Williams <home_pw@msn.com> Wed, 20 December 2006 09:08 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GwxQh-0001iN-VD; Wed, 20 Dec 2006 04:08:03 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GwxQg-0001fB-6G for tls@ietf.org; Wed, 20 Dec 2006 04:08:02 -0500
Received: from bay0-omc3-s33.bay0.hotmail.com ([65.54.246.233]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GwxQd-00005d-Ot for tls@ietf.org; Wed, 20 Dec 2006 04:08:02 -0500
Received: from BAY103-W5 ([65.54.174.105]) by bay0-omc3-s33.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Wed, 20 Dec 2006 01:07:59 -0800
X-Originating-IP: [69.227.152.254]
X-Originating-Email: [home_pw@msn.com]
Message-ID: <BAY103-W52E7A44762FB70257801C92CF0@phx.gbl>
From: Peter Williams <home_pw@msn.com>
To: martin.rex@sap.com, Eric Rescorla <ekr@networkresonance.com>
Subject: RE: [TLS] Comments on TLS identity protection
Date: Wed, 20 Dec 2006 01:07:59 -0800
MIME-Version: 1.0
X-OriginalArrivalTime: 20 Dec 2006 09:07:59.0157 (UTC) FILETIME=[583C3650:01C72416]
X-Spam-Score: 2.6 (++)
X-Scan-Signature: a87a9cdae4ac5d3fbeee75cd0026d632
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0382711881=="
Errors-To: tls-bounces@lists.ietf.org

 
 
Microsoft has a long history of exploiting this feature, in various ways. Actually goes
back to their own PCT proposal, when they were differentiating its features from 
SSLv2.
Fascinating to see this all being "reinvented/reargued" 10 years after it was
all debated the first time around. Though, there is a big difference between the
then (web culture) and now (internet culture). Very different tone.
 



> From: martin.rex@sap.com> Subject: Re: [TLS] Comments on TLS identity protection> To: ekr@networkresonance.com> Date: Tue, 19 Dec 2006 22:00:29 +0100> CC: tls@ietf.org> > Eric Rescorla wrote:> > > > The good news is that TLS has a very simple mechanism for achieving> > this: do an ordinary TLS handshake without client authentication> > and then do an immediate re-handshake with client auth. As the > > authors observe, this is slower (two sets of crypto computations> > and 4 RTTs) than a specialized identity protection mode. However,> > it is available now and as far as I can tell is rarely done.> > I don't find the argument that there is a large demand for this> > feature if it were only 50% faster particularly persuasive.> > Rather, this seems like a premature optimization.> > It is not as rare as you might think. It is actually the> default in Microsoft's IIS with some configurations that> IIS only requests SSL client authentication after> having seen the request (URL). It might be a side-effect> of NOT requiring SSL client authentication on the root/home> page of the webserver and only for certain areas/paths.> > > -Martin> > _______________________________________________> TLS mailing list> TLS@lists.ietf.org> https://www1.ietf.org/mailman/listinfo/tls
_________________________________________________________________
Type your favorite song.  Get a customized station.  Try MSN Radio powered by Pandora.
http://radio.msn.com
_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email