Re: [TLS] 1rtt thoughts

James Cloos <> Tue, 15 July 2014 19:57 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 22D4C1A0086 for <>; Tue, 15 Jul 2014 12:57:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.652
X-Spam-Status: No, score=-2.652 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9kjDiTlQpP_U for <>; Tue, 15 Jul 2014 12:57:46 -0700 (PDT)
Received: from ( [IPv6:2604:2880::b24d:a297]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 53E551A0083 for <>; Tue, 15 Jul 2014 12:57:46 -0700 (PDT)
Received: by (Postfix, from userid 10) id 5C27E21BB3; Tue, 15 Jul 2014 19:57:45 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=ore14; t=1405454265; bh=Y4d26wF0YMy1ZX/+lxmg3IR2HxsmsZ2DuVMFfbSyOm8=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=F/QqRxz383czCRemIIW6DjVOO0f51vWSn65/aHsHtt4nu2/4UgZMDP/6ceGK+8TLU eWEU1f/uTRDq55BkSE1TtdviT0t+y1UMxKqgPq/4aQNqT6jlYip2v7j0XWZCkkVqQX aCoFTj7dbJaK498P/yBPD7R7h2k2NKqiuGR3c3Es=
Received: by (Postfix, from userid 500) id 3CD5560028; Tue, 15 Jul 2014 19:51:39 +0000 (UTC)
From: James Cloos <>
To: Michael StJohns <>
In-Reply-To: <> (Michael StJohns's message of "Tue, 15 Jul 2014 14:37:31 -0400")
References: <> <> <> <> <> <>
User-Agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/24.4.50 (gnu/linux)
Copyright: Copyright 2014 James Cloos
OpenPGP: 0x997A9F17ED7DAEA6; url=
OpenPGP-Fingerprint: E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6
Date: Tue, 15 Jul 2014 15:51:39 -0400
Message-ID: <>
Lines: 24
MIME-Version: 1.0
Content-Type: text/plain
Subject: Re: [TLS] 1rtt thoughts
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 15 Jul 2014 19:57:48 -0000

>>>>> "MS" == Michael StJohns <> writes:

MS> I'm wondering if there isn't some application where interspersing
MS> TLS with plaintext (or maybe multiple differently credentialed TLS
MS> sessions) over the life of the TCP connection has any utility.

There are several protocols where multiple credentials make sense.

Among them are imap, pop, ftp and any of the tls-capable sql protocols.
I'm sure there are several more I cannot think of just now.

It may be uncommon to switch identities mid-stream, but not unknown.

I doubt many currently use tls mutual auth in such a fashion, rather
than application-level aaa, but they could.

(Of the protocols I though of above, pgsql is the one where I've most
often changed users in place and where cert auth is a viable option.
That being said, I've never tested whether changing roles works with a
connection which requires cert auth.)

James Cloos <>         OpenPGP: 0x997A9F17ED7DAEA6