[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Comments on TLS identity protection

To: Martin Rex <martin.rex@xxxxxxx>
Subject: Re: [TLS] Comments on TLS identity protection
From: Bodo Moeller <bmoeller@xxxxxxx>
Date: Wed, 20 Dec 2006 13:36:40 +0100
Cc: tls@xxxxxxxx
In-reply-to: <200612192115.WAA22812@xxxxxxxxxxxxxxxxxxx>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <86vek7pph4.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxx> <200612192115.WAA22812@xxxxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.5.9i

On Tue, Dec 19, 2006 at 10:15:01PM +0100, Martin Rex wrote:

>> However, as you say in most cases the request for client auth
>> is contingent upon seeing the request and so a rehandshake is
>> required here in any case. A one-pass protocol wouldn't work
>> here.

> I had the same thought but completely failed to point this out.
> 
> In the not uncommon case with IIS renegotiating after having
> evaluated the HTTP(S)-request, [...]

This, by the way, applies not only to IIS servers.  The Apache HTTP
server with mod_ssl can also be configured to request client
certificates only for specific requests, which of course is achieved
through a renegotiation.  This approach is reasonable not only for
HTTP applications: An SMTP server supporting TLS might perform
certificate-based client authentication only when used as a mail
relay, and finish without attempting client authentication if
a connection only involves local mail delivery.

Bodo

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Comments on TLS identity protection
  - From: home_pw

References:
- Re: [TLS] Comments on TLS identity protection
  - From: Eric Rescorla
- Re: [TLS] Comments on TLS identity protection
  - From: Martin Rex

Prev by Date: Re: [TLS] GSS-API extension draft available
Next by Date: Re: [TLS] GSS-API extension draft available
Previous by thread: Re: [TLS] Comments on TLS identity protection
Next by thread: Re: [TLS] Comments on TLS identity protection
Index(es):
- Date
- Thread