IETF Logo Mail Archive

Re: [TLS] matching identity, by default

Marsh Ray <marsh@extendedsubset.com> Thu, 03 December 2009 13:54 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B3C093A6A61 for <tls@core3.amsl.com>; Thu, 3 Dec 2009 05:54:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.508
X-Spam-Level:
X-Spam-Status: No, score=-2.508 tagged_above=-999 required=5 tests=[AWL=0.091, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9xmPFlRo6gNO for <tls@core3.amsl.com>; Thu, 3 Dec 2009 05:54:14 -0800 (PST)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id D6E9B3A684A for <tls@ietf.org>; Thu, 3 Dec 2009 05:54:14 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1NGC8E-000OgO-7f; Thu, 03 Dec 2009 13:54:06 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 7183B603C; Thu, 3 Dec 2009 13:54:03 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1/Ht0YZpNDIqVJh++Qx5SQ7v8WADwiwGJo=
Message-ID: <4B17C2F9.9010802@extendedsubset.com>
Date: Thu, 03 Dec 2009 07:54:01 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Bodo Moeller <bmoeller@acm.org>
References: <C2329F9D-F5EF-4E8B-9EE8-ED246D7B7287@manger.com.au> <BF782069-544A-4842-B8C8-A9472C9794BB@acm.org>
In-Reply-To: <BF782069-544A-4842-B8C8-A9472C9794BB@acm.org>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "tls@ietf.org Working Group" <tls@ietf.org>, James Manger <james@manger.com.au>
Subject: Re: [TLS] matching identity, by default
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2009 13:54:15 -0000

Bodo Moeller wrote:
> TLS has never meant to allow a new
> client or server application entity to enter the conversation when a
> renegotiation handshake takes place

I disagree. The person(s) who added renegotiation clearly wanted to
enable multiple "application entities" to run on the same port 443.
These may be communicated over the same pool of active socket
connections, as Nelson Bolyard of NSS (hier of the Netscape legacy
implementation, twice removed) has described.

Whether or not that was a wise design, or whether it was implemented
perfectly is certainly debatable. We can all agree that certain
implications of this design were under-documented.

> Here's a new proposal:
> 
> "[..] TLS implementations MUST NOT use a change of Certificate
> information to indicate that subsequent application data will be in the
> responsibility of a different client or server application entity.

I don't support such wording. If someone wants to write a TLS
application layer protocol that way, there's no good reason for the spec
to prohibit it at this stage in the game.

> That
> is, if a new or changed Certificate message appears in a renegotiation
> handshake and is successfully verified, it is understood that this is a
> change in identification information only and not a change in identity."

It might not even be a swap-out change, it could be additive or have
other app-defined semantics. For example, a client or server application
could renegotiate ten times and provide ten different certificates, then
renegotiate to ephemeral Diffie-Hellman. The application protocol may be
defined to treat subsequent data as being authenticated to any or all of
the ten certificated identities.

Another point is that TLS doesn't have to run over TCP. Imagine you need
a way to securely convey authenticated data over a bare synchronous or
asynchronous link (e.g. RS-232). TLS would be a natural choice, but if
you restrict arbitrary certificate changes, you won't be able to use it
continuously. You'll have to drop out of TLS altogether and start a new
handshake, thus introducing unnecessary encryption and authentication gaps.

- Marsh

v2.23.0 | Report a Bug | By Email