IETF Logo Mail Archive

Re: [TLS] Comments on TLS identity protection

badra <badra@isima.fr> Wed, 20 December 2006 15:41 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gx3Zd-0000Vz-Fj; Wed, 20 Dec 2006 10:41:41 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gx3Zb-0000Vf-Cs for tls@ietf.org; Wed, 20 Dec 2006 10:41:39 -0500
Received: from sp.isima.fr ([193.55.95.1]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Gx3ZZ-0007Zx-W0 for tls@ietf.org; Wed, 20 Dec 2006 10:41:39 -0500
Received: from [127.0.0.1] (pc158.isima.fr [193.55.95.158]) by sp.isima.fr (8.9.3/jtpda-5.3.1) with ESMTP id QAA65044 ; Wed, 20 Dec 2006 16:40:13 +0100
Message-ID: <458959A2.8020309@isima.fr>
Date: Wed, 20 Dec 2006 16:41:22 +0100
From: badra <badra@isima.fr>
User-Agent: Thunderbird 1.5.0.8 (Windows/20061025)
MIME-Version: 1.0
To: Pasi.Eronen@nokia.com
Subject: Re: [TLS] Comments on TLS identity protection
References: <B356D8F434D20B40A8CEDAEC305A1F24038FD72F@esebe105.NOE.Nokia.com>
In-Reply-To: <B356D8F434D20B40A8CEDAEC305A1F24038FD72F@esebe105.NOE.Nokia.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by sp.isima.fr id QAA65044
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 769a46790fb42fbb0b0cc700c82f7081
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

Pasi.Eronen@nokia.com a écrit :
>> I disagree. Anybody can connect to your server at any time and
>> doing uncompleted double handshake. It is not a rare situation.
>>     
>
> Do you have any data to back that claim? 

No, unfortunately.

> The fact that anybody can
> connect at any time does not automatically imply that lots of people
> are connecting all the time! 
> (And in particular, lots of people without client certificates connecting all the time to servers that always require client
> authentication, and without malicious intent to DoS the server.)
>   
But the "anybody" that can connect at any time will be able to establish 
several "double handshake" in parallel; especially when TLS is used over 
EAP or UDP (I don't have data but maybe Eric).

My point is that double handshake will increase complexity and will not 
help in reducing TLS server overload factor, especially when legitimate 
clients that don't have certificates are trying to connect. Their number 
is not actually important.

>>> (at least sufficiently to spend the $$$ for designing, 
>>> implementing,  testing, deploying, etc. a new mechanism).
>>>       
>> How much :). The proposed changes are minimal.
>>     
>
> To get widespread deployment, several TLS implementations would 
> have to be updated, e.g. Microsoft Schannel, OpenSSL, Mozilla NSS, 
> JSSE, GnuTLS, etc. Getting any change, no matter how "minimal", 
> to them is not easy.
>   

I don't see the point here. Any TLS feature will require updating TLS 
implementations.

> Best regards,
> Pasi
>
>   

Best regards,
Badra


_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email