Re: [TLS] Conflict between TLS 1.1 (RFC4346) and Krb5 Cipher Suite (RFC2712)
Jeffrey Altman <jaltman@secure-endpoints.com> Thu, 14 December 2006 13:42 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GuqrR-0002va-23; Thu, 14 Dec 2006 08:42:57 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GuqrQ-0002vR-5r for tls@lists.ietf.org; Thu, 14 Dec 2006 08:42:56 -0500
Received: from ms-smtp-03.rdc-nyc.rr.com ([24.29.109.7]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GuqrO-0004Fu-UO for tls@lists.ietf.org; Thu, 14 Dec 2006 08:42:56 -0500
Received: from www.secure-endpoints.com (cpe-68-175-91-105.nyc.res.rr.com [68.175.91.105]) by ms-smtp-03.rdc-nyc.rr.com (8.13.6/8.13.6) with ESMTP id kBEDgrhP023068 for <tls@lists.ietf.org>; Thu, 14 Dec 2006 08:42:54 -0500 (EST)
Received: from [192.168.1.13] by secure-endpoints.com (Cipher TLSv1:RC4-MD5:128) (MDaemon PRO v9.5.3) with ESMTP id md50000037773.msg for <tls@lists.ietf.org>; Thu, 14 Dec 2006 08:44:09 -0500
Message-ID: <45815525.10806@secure-endpoints.com>
Date: Thu, 14 Dec 2006 08:44:05 -0500
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Organization: Secure Endpoints Inc.
User-Agent: Thunderbird 1.5.0.8 (Windows/20061025)
MIME-Version: 1.0
To: tls@lists.ietf.org
Subject: Re: [TLS] Conflict between TLS 1.1 (RFC4346) and Krb5 Cipher Suite (RFC2712)
References: <45802B8B.80503@secure-endpoints.com> <20061214103827.GA27545@tau.invalid>
In-Reply-To: <20061214103827.GA27545@tau.invalid>
X-Enigmail-Version: 0.94.1.2
X-Authenticated-Sender: jaltman@secure-endpoints.com
X-Spam-Processed: www.secure-endpoints.com, Thu, 14 Dec 2006 08:44:09 -0500 (not processed: message from valid local sender)
X-Return-Path: jaltman@secure-endpoints.com
X-Envelope-From: jaltman@secure-endpoints.com
X-MDaemon-Deliver-To: tls@lists.ietf.org
X-Virus-Scanned: Symantec AntiVirus Scan Engine
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 37af5f8fbf6f013c5b771388e24b09e7
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: jaltman@secure-endpoints.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0581901621=="
Errors-To: tls-bounces@lists.ietf.org
Bodo Moeller wrote:
> It might be better to be more explicit here. Your proposed text
> resolves the conflict, but could be puzzling to implementors who
> haven't seen the Kerberos or TLS_GSS ciphersuite specifications and
> don't quite know what you're talking about when you mention
> alternative methods of server authentication. Here is a more
> elaborate proposal:
>
> This message is omitted if the agreed-upon key exchange method is
> anonymous or uses an alternative method of server authentication.
> For all non-anoymous key exchange methods specified in this
> document, the server MUST send this message. For non-anonymous
> key exchange methods specified elsewhere that do not provide an
> alternative method of server authentication, the server MUST send
> this message. This message will always immediately follow the
> server hello message.
>
> This also would clarify that you can't send a certificate message in
> an anonymous handshake, which apparently isn't strictly forbidden with
> the current language. (The signature part of the ServerKeyExchange is
> empty, so there's no point in trying to attach a server certificate to
> a handshake that is nominally anonymous.)
>
> Bodo
One more revision combining the best of Pasi's and Bodo's text:
This message is omitted if the agreed-upon key exchange method is
anonymous or uses server authentication method that does not
involve certificates. For all key exchange methods specified in
this document except for DH_anon, the server MUST send this
message. For non-anonymous key exchange methods specified
elsewhere that do not provide an alternative method of server
authentication, the server MUST send this message. This message
will always immediately follow the server hello message.
Jeffrey Altman
_______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Conflict between TLS 1.1 (RFC4346) and Krb5… Jeffrey Altman
- RE: [TLS] Conflict between TLS 1.1 (RFC4346) and … Pasi.Eronen
- Re: [TLS] Conflict between TLS 1.1 (RFC4346) and … Bodo Moeller
- Re: [TLS] Conflict between TLS 1.1 (RFC4346) and … Jeffrey Altman
- RE: [TLS] Conflict between TLS 1.1 (RFC4346) and … Pasi.Eronen
- Re: [TLS] Conflict between TLS 1.1 (RFC4346) and … Jeffrey Altman