Re: [tcpinc] Developer opinions matter

Fri, 24 Jul 2015 11:02:53 -0700 

Eric Rescorla wrote this message on Fri, Jul 24, 2015 at 10:22 +0200:
> > > I've been working on project to accelerate TLS by doing the framing
> > > and encryption work in the kernel, and not in userland.  We made the
> > > choice of not moving the handshake and certificate validation into
> > > the kernel due to it's complexity and high risk for bugs.  Yes,
> > > tcpcrypt will have slightly more code than just framing and encryption,
> > > but it's vastly more simple than doing anything wrt parsing and
> > > validating X.509 certificates.
> >
> 
> There's not going to be any need to do either of these. I'm working on
> the profile, but expect it to be anonymous (EC)DHE, and so not
> require certificates.

Well, require and support are two different things.  Under chapter 10,
you say:
If some sort of external authentication mechanism was provided or certificates 
are used

This implies that certificates may be used.  What is going to happen
if one side decides to require a certificate and the otherside rejects
any certificate use?  Then we end up again, back to an unencrypted
session, or worse (better?), failure to establish the session.

I do realize that ladder diagram does not even mention the Certificate
side of things, so probably the clause, "or certificates", should just
be removed.

It should be tightened up to explicitly disallow any use of
certificates, or at a minimum, that the side that presents a
certificate but does not receive a correct response, must continue as
if the certificate was ignored.

> > > If the TCP-TLS implementation is choosen, it will be significantly
> > > longer before it will be integrated into FreeBSD.  The reasons being
> > > is that there is no code that can simply be used w/o major auditing
> > > and/or rewriting to be secure for use in the kernel.  The tcpcrypt
> > > code was written from the start to be used in the kernel.
> > >
> > > Is there an implementation of TCP-TLS available yet?
> >
> > We have one under development and expect to have something available
> by Yokohama, as discussed in the WG meeting on Monday.

It would be good if announcements of meetings were sent to the list.

-- 
  John-Mark Gurney                              Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."

_______________________________________________
Tcpinc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tcpinc

Reply via email to