[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Comments on TLS identity protection

To: ekr@xxxxxxxxxxxxxxxxxxxx (Eric Rescorla)
Subject: Re: [TLS] Comments on TLS identity protection
From: Martin Rex <martin.rex@xxxxxxx>
Date: Tue, 19 Dec 2006 22:00:29 +0100 (MET)
Cc: tls@xxxxxxxx
In-reply-to: <20061219204505.5F2EE5C01E@xxxxxxxxxxxxxxxxxxxxxxxxxx> from "Eric Rescorla" at Dec 19, 6 12:41:53 pm
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
Reply-to: martin.rex@xxxxxxx

Eric Rescorla wrote:
> 
> The good news is that TLS has a very simple mechanism for achieving
> this: do an ordinary TLS handshake without client authentication
> and then do an immediate re-handshake with client auth. As the 
> authors observe, this is slower (two sets of crypto computations
> and 4 RTTs) than a specialized identity protection mode. However,
> it is available now and as far as I can tell is rarely done.
> I don't find the argument that there is a large demand for this
> feature if it were only 50% faster particularly persuasive.
> Rather, this seems like a premature optimization.

It is not as rare as you might think.  It is actually the
default in Microsoft's IIS with some configurations that
IIS only requests SSL client authentication after
having seen the request (URL).  It might be a side-effect
of NOT requiring SSL client authentication on the root/home
page of the webserver and only for certain areas/paths.

-Martin

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Comments on TLS identity protection
  - From: Eric Rescorla

References:
- [TLS] Comments on TLS identity protection
  - From: Eric Rescorla

Prev by Date: RE: [TLS] Please discuss: draft-housley-evidence-extns-00
Next by Date: Re: [TLS] Please discuss: draft-housley-evidence-extns-00
Previous by thread: [TLS] Comments on TLS identity protection
Next by thread: Re: [TLS] Comments on TLS identity protection
Index(es):
- Date
- Thread