[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Comments on TLS identity protection

To: ekr@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [TLS] Comments on TLS identity protection
From: Martin Rex <martin.rex@xxxxxxx>
Date: Wed, 20 Dec 2006 00:07:03 +0100 (MET)
Cc: tls@xxxxxxxx
In-reply-to: <868xh3pktk.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxx> from "Eric Rescorla" at Dec 19, 6 02:44:39 pm
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
Reply-to: martin.rex@xxxxxxx

Eric Rescorla wrote:
> 
> "Kyle Hamilton" <aerowolf@xxxxxxxxx> writes:
> > On every renegotiation, does the server have to reauthenticate itself
> > (present its certificate again)?  Or can the credential on the client
> > side be cached to avoid that duplication?
> 
> I don't think I understand the question.
> 
> 1. You do a regular handshake with no client auth.
>
> 2. The server initiates a rehandshake with client auth. This has
>    to be a full handshake with a new key exchange.
> 
> Any future resumptions of the second session can be done out
> of cache.

When the server-requested renegotiation is application triggered,
as in the Microsoft IIS case, then the server better caches the
result along with the SSL session.

Microsoft IIS has a silly (performance-wasting) bug, where a client that
does either not have a client cert or does not show one (and requiring
the application to perform application level client authentication)
is continously forced through the renegotiation when the client
tries to resume the session from the session cache on a new connection.

-Martin

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Comments on TLS identity protection
  - From: home_pw

References:
- Re: [TLS] Comments on TLS identity protection
  - From: Eric Rescorla

Prev by Date: Re: [TLS] Comments on TLS identity protection
Next by Date: Re: [TLS] Comments on TLS identity protection
Previous by thread: Re: [TLS] Comments on TLS identity protection
Next by thread: Re: [TLS] Comments on TLS identity protection
Index(es):
- Date
- Thread