RE: making use of an SSL handshake in a new way

Wed, 10 Oct 2001 15:20:40 -0700 

Olga -

        Do you have a higher resolution PDF that is readable on screen? I
used to work at CyberSafe and worked on several projects that would
potentially be related; as such I would be very interested in reading your
paper but would hate to kill a tree to see it :)

Ryan

-----Original Message-----
From: Olga Kornievskaia [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, October 10, 2001 1:22 PM
To: [EMAIL PROTECTED]
Subject: Re: making use of an SSL handshake in a new way


> Paper sounds interesting, but unfortunately one has to be a usenix member
> to read it. Any other url?

There is a techreport (a slightly older version of the paper) available
from: http://www.citi.umich.edu/techreports

> Rather then changes to SSL, did you look at using a BIO to push onto the
> SSL BIO so you could trap the handshake without modifications? Not clear
> from your patch if this was good enough, or if you really needed
additional
> modifications to the handshake.

No, I have not looked at using a BIO for this. It was our first shot at
getting things working and getting raw data was the most straight forward
way of doing this. However, I'm not sure if bio buffers inside of the SSL
structure are accumulative. I need to be able to hash all the handshake
messages and verify the client's signature in the CLIENT_VERIFY message.
For this I need all the buffers.

> How does this relate to:
>
>    Addition of Kerberos Cipher Suites to Transport Layer Security (TLS)
> (RFC 2712)
>   http://www.ietf.org/rfc/rfc2712.txt

Hmm, I'm not sure what are you asking. Verification of the SSL handshake
would be independent of the protocol used to secure the connection. The
RFC proposes the use of Kerberos cipher suites and as far as I know
doesn't deal with delegation of credentials. And even if it were the
case, it's not clear that delegation would be better than what we
proposed in the paper (I would argue that it wouldn't be).

-Olga


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to