[Security] TLS Certificates Verification

Eric Rescorla ekr at rtfm.com
Tue Aug 19 12:55:15 CDT 2008


On Tue, Aug 19, 2008 at 10:48 AM, Dave Cridland <dave at cridland.net> wrote:
> On Tue Aug 19 18:33:53 2008, Eric Rescorla wrote:
>>
>> Actually, this is a lot more complicated than it has to be. TLS has two
>> features that make this trivial to do and that don't rely on certificates
>>
>> 1. A PAKE mode (SRP)[0]
>
> I see how this works, but you're asking for quite a bit of less than usual
> TLS magic involved.
>
> Could we use a simple, channel-binding, shared-secret based SASL mechanism?

Yes, you could, but like TLS-PSK it's susceptible to active dictionary
attacks on the
shared secret. I haven't entirely worked out what the threat situation is there
in terms of the impact on this kind of attack.


 I don't know if XMPP stacks can typically use SASL, so that would presumably be
relevant to the PSK versus SASL question. And note that again you can just use
the session cache: you don't need to learn the certs necessarily.


> I've the thought in my head that we could make this essentially the same as
> Bluetooth keying, using the channel binding to "learn" the certificates.

Yes, that's effectively what I'm proposing.


-Ekr


More information about the Security mailing list