[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Please discuss: draft-housley-evidence-extns-00 - brokerage illustration

To: "Mark Brown" <mark@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [TLS] Please discuss: draft-housley-evidence-extns-00 - brokerage illustration
From: Eric Rescorla <ekr@xxxxxxxxxxxxxxxxxxxx>
Date: Fri, 12 Jan 2007 10:53:42 -0800
Cc: tls@xxxxxxxx
In-reply-to: <003a01c73678$b9ee0df0$6801a8c0@xxxxxxxxx> (Mark Brown's message of "Fri, 12 Jan 2007 12:37:34 -0600")
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <003a01c73678$b9ee0df0$6801a8c0@xxxxxxxxx>
Reply-to: EKR <ekr@xxxxxxxxxxxxxxxxxxxx>
User-agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix)

"Mark Brown" <mark@xxxxxxxxxxxxxxxxxxxx> writes:
> Let me retrace Eric's line of thought first, using his broker illustration:
>
> 1) 100's of fetches to accomplish a trade:  In HTTP the TCP/IP session gets
> torn down after every fetch.

Uh, not in any modern HTTP stack, no. I refer you to RFC 2616 S 8.1.

> This TLS client configuration line identifies one DNS name and port number
> for which the client will always ClientHello using TLS Evidence.

It does what??? I need to hard-configure some list of names and ports?
That scales how?

> To one of Eric's concerns, in this illustration there really is no change
> required for either the TLS client or the TLS server APIs (i.e. how the
> application interacts programmatically with the TLS layer).

No. The server *still* needs to check that he's actually getting
evidence. I.e., that the client is coming in through the right
virtual server (unless you're proposing that I rearchitect
all my server apps to split every kind of transaction into
two different servers), and there's still the relative inefficiency
of your signature mechanism, which is conservatively a factor of 2-4
slower than app-level signatures.

So, you've had to modify both client and server, you quite
possibly had to substantially rearchitect the server, and the
client has to have some semi-manual configuration settings to
determine when it offers evidence. None of this seems
particularly convenient. 

To uplevel a moment, I'm not arguing that you can't make some proposal
along the lines you indicate sort of work. What I am arguing is that
it isn't substantially simpler than the application-level signature
alternatives, that it offers inferior semantics, and that it doesn't
fit well with the TLS architecture. None of this discussion has
changed my views on that point.

-Ekr

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- RE: [TLS] Please discuss: draft-housley-evidence-extns-00 - brokerage illustration
  - From: Mark Brown

References:
- RE: [TLS] Please discuss: draft-housley-evidence-extns-00 - brokerage illustration
  - From: Mark Brown

Prev by Date: RE: [TLS] Please discuss: draft-housley-evidence-extns-00 - brokerage illustration
Next by Date: RE: [TLS] Please discuss: draft-housley-evidence-extns-00<
Previous by thread: RE: [TLS] Please discuss: draft-housley-evidence-extns-00 - brokerage illustration
Next by thread: RE: [TLS] Please discuss: draft-housley-evidence-extns-00 - brokerage illustration
Index(es):
- Date
- Thread