Re: draft-ietf-tls-http-upgrade reissued

Julien Pierre (jpierre@netscape.com)
Thu, 04 May 2000 14:28:47 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: John Stracke: "Re: draft-ietf-tls-http-upgrade reissued"
Previous message: Julien Pierre: "Re: draft-ietf-tls-http-upgrade reissued"
Maybe in reply to: Scott Lawrence: "draft-ietf-tls-http-upgrade reissued"
Next in thread: John Stracke: "Re: draft-ietf-tls-http-upgrade reissued"

This is a cryptographically signed message in MIME format.

--------------msC766F184B34B3A458C79DE52
Content-Type: multipart/mixed;
 boundary="------------6A5712B8DB2B5C0E4D990174"

This is a multi-part message in MIME format.
--------------6A5712B8DB2B5C0E4D990174
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

Scott Lawrence wrote:

> Rohit covered the ground pretty well, and all the points you raise
> were discussed the first time around in one way or another, but I'll
> reiterate a point or two.
>
> Users have been trained to believe that an 'https:' scheme means
> 'secure', but what does it really mean?  What it means is 'try this
> connection first on port 443 and negotiate (via the TLS/SSL
> handshake) a set of security services'.  Key to this is
> 'negotiate' - the resulting connection could negotiate a set of
> services using any of several cipher suites, including easily
> breakable or null encryption.

Agreed. However, one can disable the null & easily breakable cipher
suites in their client, and therefore be sure that when https URLs are
submitted, the connection is secure. The NULL encryption is by default
disabled in mainstream browsers.


>  If there is a need for labelling of content
> with security attributes, then that need is best met in the content
> itself, and the 'single bit' of appending an 's' to the scheme name
> is grossly insufficient.

I agree that it would be better to get more security information in the
content links than just that one "s" bit.

However, the complete lack of even that one bit to determine the
security attribute, which is what you propose by using regular http
URLs, is not merely grossly insufficient, but completely unacceptable.

I understand that you are trying to keep some level of compatibility
with existing clients, and at the same time trying to unify the ports
for secure/non-secure servers, and allowing secure virtual servers. I
believe however that none of the problems are solved adequately :

- existing HTTP clients will compromise security when connected to the
new servers, because they will not be able to negotiate the TLS ugrade
- existing HTTPS clients will not even connect to the new servers,
because the server will be expecting an initial non-secure connection
followed by an upgrade

This shows that it's not a practical solution for saving TCP ports at
this time. It requires an entirely new generation of servers and
clients, and even then there is still doubt about how the upgrade to TLS
is enforced, as mentioned in previous e-mails.

--
for a good time, try kill -9 -1


--------------6A5712B8DB2B5C0E4D990174
Content-Type: text/x-vcard; charset=us-ascii;
 name="jpierre.vcf"
Content-Transfer-Encoding: 7bit
Content-Description: Card for Julien Pierre
Content-Disposition: attachment;
 filename="jpierre.vcf"

begin:vcard 
n:Pierre;Julien
tel;work:408 276 3664
x-mozilla-html:FALSE
url:http://www.iplanet.com
org:iPlanet E-commerce Solutions, a Sun-Netscape Alliance;Web Server
adr:;;;Santa Clara;California;95054;USA
version:2.1
email;internet:jpierre@netscape.com
title:Software Developer
x-mozilla-cpt:;31920
fn:Julien Pierre
end:vcard

--------------6A5712B8DB2B5C0E4D990174--

--------------msC766F184B34B3A458C79DE52
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIIIiQYJKoZIhvcNAQcCoIIIejCCCHYCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
BlwwggMPMIICeKADAgECAgIY9zANBgkqhkiG9w0BAQQFADCBkzELMAkGA1UEBhMCVVMxCzAJ
BgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRswGQYDVQQKExJBbWVyaWNhIE9u
bGluZSBJbmMxGTAXBgNVBAsTEEFPTCBUZWNobm9sb2dpZXMxJzAlBgNVBAMTHkludHJhbmV0
IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0wMDAzMDkyMzA0NTNaFw0wMDA5MDUyMzA0NTNa
MIGFMRMwEQYKCZImiZPyLGQBGRYDY29tMRgwFgYKCZImiZPyLGQBGRYIbmV0c2NhcGUxIzAh
BgkqhkiG9w0BCQEWFGpwaWVycmVAbmV0c2NhcGUuY29tMRYwFAYDVQQDEw1KdWxpZW4gUGll
cnJlMRcwFQYKCZImiZPyLGQBARMHanBpZXJyZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEA3QSGxo7n60AUq9zfp96BwOzboYbjYXBhxILxpbkJBSh6wlLqQvjlyO3EZ2+KwDZvgBuh
5Z6uy95ZTfT32bIrr0p97eNXLKGFEN87KQhR7kltc8CSelu0ZP3MsfqBYMnEJBH2myrWpySd
vflZR0cOz4jaudtp4/Stfx99rLL5YUcCAwEAAaN+MHwwEQYJYIZIAYb4QgEBBAQDAgWgMA4G
A1UdDwEB/wQEAwIEsDAfBgNVHSMEGDAWgBSiO2Uy9/cbifxVDQcBvIdIWv2QPTA2BggrBgEF
BQcBAQQqMCgwJgYIKwYBBQUHMAGGGmh0dHA6Ly9uc29jc3AubmV0c2NhcGUuY29tMA0GCSqG
SIb3DQEBBAUAA4GBAEXeJ+7JMiFzcHgDXl359MR39rWnjg8Bm9dWNnUwHeWyfWdWBoplIxQI
gVFRVsUrNuAR9C6SW5FMm8mbsKfZXh08jREidxoH3jgIkq8TrLdGe2WyWdWnPL2oSMDiTLW7
pDTg8IXQpmHPkomGgbxha+Pgn9lL4d17iaZT5Op3pO4rMIIDRTCCAq6gAwIBAgIBJzANBgkq
hkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAG
A1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMf
Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNv
bmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3
dGUuY29tMB4XDTk5MDYwMzIyMDAzNFoXDTAxMDYwMjIyMDAzNFowgZMxCzAJBgNVBAYTAlVT
MQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEbMBkGA1UEChMSQW1lcmlj
YSBPbmxpbmUgSW5jMRkwFwYDVQQLExBBT0wgVGVjaG5vbG9naWVzMScwJQYDVQQDEx5JbnRy
YW5ldCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
AOLvXyx2Q4lLGl+z5fiqb4svgU1n/71KD2MuxNyF9p4sSSYg/wAX5IiIad79g1fgoxEZEarW
3Lzvs9IVLlTGbny/2bnDRtMJBYTlU1xI7YSFmg47PRYHXPCzeauaEKW8waTReEwG5WRB/AUl
Yybr7wzHblShjM5UV7YfktqyEkuNAgMBAAGjaTBnMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYD
VR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMCMBEGCWCGSAGG+EIBAQQEAwIBAjAfBgNVHSME
GDAWgBRyScJzNMZV9At2coF+d/SH58ayDjANBgkqhkiG9w0BAQQFAAOBgQC6UH38ALL/QbQH
CDkMIfRZSRcIzI7TzwxW8W/oCxppYusGgltprB2EJwY5yQ5+NRPQfsCPnFh8AzEshxDVYjtw
1Q6xZIA0Tln6xlnmRt5OaAh1QPUdjCnWrnetyT1p5ECNRJdGb756wFiksR9qpw8pUYqBDSmO
neQPMwuPjSQ97DGCAfUwggHxAgEBMIGaMIGTMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
FjAUBgNVBAcTDU1vdW50YWluIFZpZXcxGzAZBgNVBAoTEkFtZXJpY2EgT25saW5lIEluYzEZ
MBcGA1UECxMQQU9MIFRlY2hub2xvZ2llczEnMCUGA1UEAxMeSW50cmFuZXQgQ2VydGlmaWNh
dGUgQXV0aG9yaXR5AgIY9zAJBgUrDgMCGgUAoIGxMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0B
BwEwHAYJKoZIhvcNAQkFMQ8XDTAwMDUwNDIxMjg0OFowIwYJKoZIhvcNAQkEMRYEFBS9GcQ9
wRkvG5fMO0C1UH+Ax+nZMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcN
AwICAgCAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgFAMA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3
DQEBAQUABIGAix4dNwOi00OtkPuKIxfS1x5wPVjQ3TtWi6f6cmSYmFizMfvn/oQYhpbhonox
dW75AJg78l0QBMYdHlvdPvIFvn8Un9PJsULgxbKhK3vYFA5BipGvQZRvELWPKuQfLZyl6f88
PMHavQiIBpVgq5z7ms+6Bf56xMlmacPpOteK1v4=
--------------msC766F184B34B3A458C79DE52--

Next message: John Stracke: "Re: draft-ietf-tls-http-upgrade reissued"
Previous message: Julien Pierre: "Re: draft-ietf-tls-http-upgrade reissued"
Maybe in reply to: Scott Lawrence: "draft-ietf-tls-http-upgrade reissued"
Next in thread: John Stracke: "Re: draft-ietf-tls-http-upgrade reissued"