[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] draft-nir-tls-eap-03

To: ah@xxxxxxxxx, tls@xxxxxxxx, ynir@xxxxxxxxxxxxxx
Subject: Re: [TLS] draft-nir-tls-eap-03
From: pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)
Date: Thu, 01 May 2008 22:45:14 +1200
Cc: yaronf@xxxxxxxxxxxxxx, Hannes.Tschofenig@xxxxxxxxxxx
Delivered-to: tls@xxxxxxxxxxxxxx
In-reply-to: <07041089-61BC-4102-8061-100E7D1BC69D@xxxxxxxxxxxxxx>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Sender: tls-bounces@xxxxxxxx

Yoav Nir <ynir@xxxxxxxxxxxxxx> writes:

>Regarding section 4.2 (comment (5)) I also believe that identity protection
>is important, but that belief is not universally shared. For example, the
>TLS-PSK protocol does not provide it. I'm not sure what I can do to elaborate
>more on this, except to say (as we have) that "we believe that identity
>protection is a worthy enough goal, so as to justify the extra round-trip.".
>Can you suggest anything stronger?

What about allowing the client to specify whether it wants identity protection
or not, to save the extra RTT?  All you'd need is to allow the client to
specify their identity in the hello (as the draft indicates), if the server
gets a client ID as an extension in the hello then they can go straight to the
fastpath version, otherwise there's an extra RTT.  Identity protection seems
to be one of those things that only geeks actually care about - I've never
encountered any user that's even asked about this, but I have had several
queries from users working in resource-constrained environments about how to
minimise the handshake overhead, so a fastpath option would be a good thing.

(Alternatively, make fastpath the default and do an anon-DH + rehandshake with
TLS-EAP if identity protection is really such a big deal).

Peter.
_______________________________________________
TLS mailing list
TLS@xxxxxxxx
https://www.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] draft-nir-tls-eap-03
  - From: Yoav Nir

References:
- Re: [TLS] draft-nir-tls-eap-03
  - From: Yoav Nir

Prev by Date: [TLS] =?utf-8?b?IFJlOsKgwqBUTFPCoGRvY3VtZW50wqBzdGF0dXPCoHVwZGF0?==?utf-8?q?e?=
Next by Date: Re: [TLS] draft-nir-tls-eap-03
Previous by thread: Re: [TLS] draft-nir-tls-eap-03
Next by thread: Re: [TLS] draft-nir-tls-eap-03
Index(es):
- Date
- Thread