[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] TLS document status update

To: tls@xxxxxxxx
Subject: Re: [TLS] TLS document status update
From: Nelson B Bolyard <nelson@xxxxxxxxxxx>
Date: Tue, 29 Apr 2008 08:14:09 -0700
Delivered-to: tls@xxxxxxxxxxxxxx
In-reply-to: <1696498986EFEC4D9153717DA325CB727BC503@xxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Organization: Network Security Services
References: <1696498986EFEC4D9153717DA325CB727BC503@xxxxxxxxxxxxxxxxxxxxxx>
Sender: tls-bounces@xxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9b3pre) Gecko/2008020302 NOT Firefox/2.0 SeaMonkey/2.0a1pre

Pasi.Eronen@xxxxxxxxx wrote, On 2008-04-29 05:18:
> Here's a short status update on TLS WG documents:

> draft-ietf-tls-rfc4366-bis
>    
>    The only technical issue is whether (and how) to mandate
>    including the hash in certificate_url message. Everyone except
>    Nelson has supported making the hash mandatory.
> 
>    If I understand Nelson's view correctly, he considers the
>    original use case for omitting the hash (CA automatically posts
>    renewed certificates at certain URL, and the client does not
>    necessarily have a copy of the latest cert) more important than
>    the (rather theoretical) attacks that omitting the hash might
>    have. Nelson, would this be a fair summary of your objection?  

Yes.  The client doesn't necessarily have ANY copy of its own cert.
The proposed requirement that the client MUST include a hash of the
cert it does not have presents a new problem for such implementations.

White-listing of hosts from which the server is willing to fetch those
client cert URLs effectively solves the other problems without
necessitating any mandatory hashes.

Thanks for your document status summary.

/Nelson
_______________________________________________
TLS mailing list
TLS@xxxxxxxx
https://www.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] TLS document status update
  - From: Eric Rescorla

References:
- [TLS] TLS document status update
  - From: Pasi.Eronen

Prev by Date: Re: [TLS] draft-nir-tls-eap-03
Next by Date: Re: [TLS] TLS document status update
Previous by thread: [TLS] TLS document status update
Next by thread: Re: [TLS] TLS document status update
Index(es):
- Date
- Thread