Re: [TLS] [CHANNEL-BINDING] [sasl] Updates to

Martin Rex <> Tue, 23 March 2010 23:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 543323A6D20; Tue, 23 Mar 2010 16:14:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.119
X-Spam-Status: No, score=-9.119 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ViXlouGHFsuM; Tue, 23 Mar 2010 16:14:17 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 4D7F13A6D1E; Tue, 23 Mar 2010 16:14:17 -0700 (PDT)
Received: from by (26) with ESMTP id o2NNEZto000117 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 24 Mar 2010 00:14:35 +0100 (MET)
From: Martin Rex <>
Message-Id: <>
To: (Larry Zhu)
Date: Wed, 24 Mar 2010 00:14:33 +0100 (MET)
In-Reply-To: <> from "Larry Zhu" at Mar 23, 10 09:07:12 pm
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal07
X-SAP: out
Subject: Re: [TLS] [CHANNEL-BINDING] [sasl] Updates to
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 23 Mar 2010 23:14:18 -0000

Larry Zhu wrote:
> It is amusing that if you actually suggest that it is more complex
> to leave the behavior as undefined.

The part that is a little funny (or weird) is something else.

When we realized that the original TLS renegotiation resulted,
in fact, in a completely different and unrelated channel than
its predecessor, and that all apps that blindly assumed it
would be still the same channel, we decided to fix TLS and
provide that assurance to the app.

_After_ fixing TLS renegotiation, it sounds strange to
define TLS channel bindings that clearly indicate that the
channel before TLS renegotiation and after TLS renegotiation
is _NOT_ the same channel (because it uses different channel
bindings and will make authentications fail that mix them up).

That is IMHO a little weird.