[TLS] n00b question regarding TLS-OBC

Anders Rundgren <anders.rundgren@telia.com> Fri, 25 October 2013 14:34 UTC

Return-Path: <anders.rundgren@telia.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 04CCA11E8340 for <tls@ietfa.amsl.com>; Fri, 25 Oct 2013 07:34:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.289
X-Spam-Status: No, score=-3.289 tagged_above=-999 required=5 tests=[AWL=0.310, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id lNhIDRDkE0lw for <tls@ietfa.amsl.com>; Fri, 25 Oct 2013 07:34:24 -0700 (PDT)
Received: from smtp-out12.han.skanova.net (smtp-out12.han.skanova.net []) by ietfa.amsl.com (Postfix) with ESMTP id 143F311E8314 for <tls@ietf.org>; Fri, 25 Oct 2013 07:34:24 -0700 (PDT)
Received: from [] ( by smtp-out12.han.skanova.net (8.5.133) (authenticated as u36408181) id 521DAB1700ED8DAE for tls@ietf.org; Fri, 25 Oct 2013 16:34:22 +0200
Message-ID: <526A8166.7090702@telia.com>
Date: Fri, 25 Oct 2013 16:34:14 +0200
From: Anders Rundgren <anders.rundgren@telia.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.0.1
MIME-Version: 1.0
To: "'tls@ietf.org'" <tls@ietf.org>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: [TLS] n00b question regarding TLS-OBC
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Oct 2013 14:34:30 -0000

If I understand it correctly TLS-OBC uses TLS CCA (Client Certificate Authentication) .

But IMO TLS CCA has a number of thorny issues like:

- TLS CCA  is incompatible with the traditional web session model
   since TLS sessions run independently of web sessions

- TLS CCA lacks a logout mechanism

- Currently there is no support for TLS session management in for example Java Servlets
- A bunch of rather tricky and browser-specific workarounds for coping with the
  mentioned issues makes HTTPS CCA integration in web applications complex and

Does this not apply to TLS OBC as well?
I like the idea very much though so I hope that I'm dead-wrong :-)