[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Comments on TLS identity protection

To: Pasi.Eronen@xxxxxxxxx
Subject: Re: [TLS] Comments on TLS identity protection
From: badra <badra@xxxxxxxx>
Date: Wed, 20 Dec 2006 15:08:28 +0100
Cc: tls@xxxxxxxx
In-reply-to: <B356D8F434D20B40A8CEDAEC305A1F24038FD679@xxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <B356D8F434D20B40A8CEDAEC305A1F24038FD679@xxxxxxxxxxxxxxxxxxxxxx>
User-agent: Thunderbird 1.5.0.8 (Windows/20061025)

Hi Pasi,

Pasi.Eronen@xxxxxxxxx a écrit :

If the extra computations occur only in very rare situations,it's perfectly reasonable not to care about it

I disagree. Anybody can connect to your server at any time and doinguncompleted double handshake. It is not a rare situation.

(at leastsufficiently to spend the $$$ for designing, implementing,testing, deploying, etc. a new mechanism).


How much :). The proposed changes are minimal.

My point was that we *already* have one mechanism for client privacy
in TLS. Thus IMHO the right question to ask is *NOT* which one ismore efficient and preferred, but rather is the existing mechanismso bad that we should spend effort in adding *another* one?

I tried to explain why double handshake is not good in terms ofoptimization and security consideration.

Well, I know your opinion regarding the double handshake sinceMontreal's meeting when you said "it would the same end result as addinga couple of roundtrips".Note that double handshake at this time was not described indraft-simon-emu-rfc2716bis-03 and it has been added by August 2006, onemonth after Montreal meeting and three months afterdraft-urien-badra-eap-tls-identity-protection :)

I think deployment-wise, double handshake has the advantage that
it's already specified and implemented.


Any link to test the implementation, please?

Best regards,
Badra


_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- RE: [TLS] Comments on TLS identity protection
  - From: Pasi.Eronen

References:
- RE: [TLS] Comments on TLS identity protection
  - From: Pasi.Eronen

Prev by Date: Re: [TLS] GSS-API extension draft available
Next by Date: RE: [TLS] Comments on TLS identity protection
Previous by thread: RE: [TLS] Comments on TLS identity protection
Next by thread: RE: [TLS] Comments on TLS identity protection
Index(es):
- Date
- Thread