[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Comments on TLS identity protection

To: <home_pw@xxxxxxx>
Subject: Re: [TLS] Comments on TLS identity protection
From: EKR <ekr@xxxxxxxxxxxxxxxxxxxx>
Date: Tue, 26 Dec 2006 07:51:40 -0800
Cc: tls@xxxxxxxx
In-reply-to: <BAY103-DAV16CA488319082D81A3B00C92C20@xxxxxxx> (home pw's message of "Tue, 26 Dec 2006 10:14:49 -0800")
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <86vek7pph4.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxx> <200612192115.WAA22812@xxxxxxxxxxxxxxxxxxx> <20061220123640.GB21201@xxxxxxxxxxx> <BAY103-DAV16CA488319082D81A3B00C92C20@xxxxxxx>
Reply-to: EKR <ekr@xxxxxxxxxxxxxxxxxxxx>
User-agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix)

<home_pw@xxxxxxx> writes:

> Normally, client auth is not allowed on a PKI-class ciphersuite, if
> the server has not performed server auth. (In a mix of PKIand non-pki
> ciphersuites -during a change-ciher-spec between the two - things are
> admittedly more ambiguous.)
>
> On a PKI-class limited renegotiation case (or a session resumption
> case), server auth is implied, of course - assuming both enc and mac
> ciphers mechanism are not NULL.

There's no way in TLS to currently have a NULL MAC algorithm.
I doubt there is lilkely to be one soon.


> For SSL3 using the RSA ciphersuites, one can ask for client auth on
> handshake#2, without having provided server cert chain on that second
> 'shake; server auth being established in the TLS resumed session (and
> renewed Connection) state.

I don't believe that this is correct. The state machines for the
two handshakes aren't really related. What language leads you
to believe that this is OK.


> (I've still simply (and honestly) no idea what TLS1.0 TLS1.1 (or
> either of those stds with their "RFC updates" demands) being entirely
> different beasts to SSL3.)

I doubt the language has changed substantially in this respect. I
don't recall the WG clarifying this text.

-Ekr

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Comments on TLS identity protection
  - From: home_pw

References:
- Re: [TLS] Comments on TLS identity protection
  - From: Eric Rescorla
- Re: [TLS] Comments on TLS identity protection
  - From: Martin Rex
- Re: [TLS] Comments on TLS identity protection
  - From: Bodo Moeller
- Re: [TLS] Comments on TLS identity protection
  - From: home_pw

Prev by Date: Angela's review
Next by Date: Re: [TLS] Comments on TLS identity protection
Previous by thread: Re: [TLS] Comments on TLS identity protection
Next by thread: Re: [TLS] Comments on TLS identity protection
Index(es):
- Date
- Thread