Re: [TLS] Renegotiation: trying to summarize
Watson Ladd <watsonbladd@gmail.com> Wed, 25 June 2014 02:18 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D8EC1B2A4C for <tls@ietfa.amsl.com>; Tue, 24 Jun 2014 19:18:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_66=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id niNsTeJu8H92 for <tls@ietfa.amsl.com>; Tue, 24 Jun 2014 19:18:28 -0700 (PDT)
Received: from mail-yk0-x22a.google.com (mail-yk0-x22a.google.com [IPv6:2607:f8b0:4002:c07::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C518D1B2A44 for <tls@ietf.org>; Tue, 24 Jun 2014 19:18:28 -0700 (PDT)
Received: by mail-yk0-f170.google.com with SMTP id q9so737169ykb.15 for <tls@ietf.org>; Tue, 24 Jun 2014 19:18:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=UAYY48BGFVLCXUzVoLBc9C2o9Iq8uSj/KJ0F9klIFm4=; b=yTNhBHTTS+p0zrYa9KrIpCGk26JMmeeO26PVyuV5pWx3gCeWiIPdmdqn1QWOztUE8h 063oHghlvYC9KeAcV14sok+PtjP4Mbesxke9RqYmUYRqrKI/1hjYrA+BWqoH4RhiNcZT egto6jyFCFx3Uqix6eQT8lCxX9cgG19USm/vmz2pv1I8SWyqp1bDWmouTaY3OZOiwAXj 9takgs9/ddho1TXxlJE3fZzEcvc1QtcQQk8w2shz1Hs++dpB29RXLDuTn02aOldgrYhN Ki6dy4ZRQs2JqhWD9js5x19yN4YQwt0H3MIbakov08npx2hWi1HgoSilc1EHORtB/u36 chug==
MIME-Version: 1.0
X-Received: by 10.236.108.176 with SMTP id q36mr6776507yhg.87.1403662708072; Tue, 24 Jun 2014 19:18:28 -0700 (PDT)
Received: by 10.170.39.136 with HTTP; Tue, 24 Jun 2014 19:18:28 -0700 (PDT)
In-Reply-To: <20140624234351.32F161AD64@ld9781.wdf.sap.corp>
References: <m2mwd8v52b.fsf@localhost.localdomain> <20140624234351.32F161AD64@ld9781.wdf.sap.corp>
Date: Tue, 24 Jun 2014 19:18:28 -0700
Message-ID: <CACsn0c=0XdhWg902_v0Fgd8mLL+-EFTA6pCBJ0tZz+wLaxUg1w@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "mrex@sap.com" <mrex@sap.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/po0w5FgD1IIGXunKvOC9110ZzEw
Cc: Geoffrey Keating <geoffk@geoffk.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Renegotiation: trying to summarize
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jun 2014 02:18:30 -0000
On Tue, Jun 24, 2014 at 4:43 PM, Martin Rex <mrex@sap.com> wrote: > Geoffrey Keating wrote: >> >> I believe there was also a proposal to allow client auth at any point >> during the session, but not renegotiate: no new ciphers, no new keys, >> just send CertificateRequest and get back Client Certificate and >> CertificateVerify. This does prevent use of client certificates with >> encryption-only algorithms, but it seems such a thing should be used >> from the start of the connection anyway. >> >> Compared to renegotiation this allows many simplifications: > > I believe that just the opposite is true, this opens a whole new can > of worms. > > Really, the existing renegotiation is both strong and simple. > > > For most of our (customer's) usage scenarios, TLS session caching > is a MUST, and the session caching concept with renegotiation is > simple and clear. > > A TLS session that authenticates only the server (certificate) within > TLS has different properties than a TLS session that authenticates > both, client&server. With traditional renegotiation, these are > distinct SSL sessions (as far as caching is concerned), and either > one can be resumed. Yes, this is a problem that has to be carefully considered if we permit state changes in TLS. > > > The most common use of renegotiation is to change the status of > one (or both) peers from not authenticated in the existing session > to authenticated in the renegotiated session. > > There was a problem with TLS implementations *NOT* nailing down > an authenticated identiy to _not_change_ during renegotiation, unless > the application has specifically requested for this to be allowed > through new/non-standard API calls (this is nothing that should happen > to an application by mere configuration tweaks). This problem has > already been described in the security considerations of rfc5746 > and it was the interim workaround suggested to browsers for the > triple-handshake-attack (which seem to have boldly ignored the > issue from the rfc5746 security considerations section...). There is nothing a client can do about the original renegotiation issue. With Triple-Handshake some usages (tls-unique channel bindings) are doomed, and others (web authentication) have to take special care that server names don't change on renegotiation, even though it was "fixed". It's not surprising that people ignored the need for client-side fixes, because rfc5746 had an extension that claimed to fix the problem without rewriting code. However, end of the day we have to deal with the implementations and code that we have. 90% of it cannot handle renegotiation correctly in the most general form. So we need to restrict the semantics, and how we do that I don't know, because I don't know what the expected semantics are. Sincerely, Watson Ladd > > > -Martin > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [TLS] Renegotiation: trying to summarize Martin Thomson
- Re: [TLS] Renegotiation: trying to summarize Andrei Popov
- Re: [TLS] Renegotiation: trying to summarize Martin Thomson
- Re: [TLS] Renegotiation: trying to summarize Geoffrey Keating
- Re: [TLS] Renegotiation: trying to summarize Salz, Rich
- Re: [TLS] Renegotiation: trying to summarize Martin Thomson
- Re: [TLS] Renegotiation: trying to summarize Peter Gutmann
- Re: [TLS] Renegotiation: trying to summarize Martin Rex
- Re: [TLS] Renegotiation: trying to summarize Watson Ladd
- Re: [TLS] Renegotiation: trying to summarize Geoff Keating
- Re: [TLS] Renegotiation: trying to summarize henry.story@bblfish.net