On Wed, Mar 30, 2016 at 10:40 PM, Dacheng Zhang <dacheng....@alibaba-inc.com > wrote:
> Thanks again for your comments. See my reply inline please. ^_^ > >> >> I'm not following. If you trust the device, then why do you need any kind >> of cryptographic >> authentication on the token. >> >> Dacheng:Let assume we trust the device. But the APP use a SNI to indicate >> the service that the APP intends to access. Because the SNI is static which >> may not be changed for months, it is easier for attackers who monitor the >> network to get the SNI and use it to gain benefit. We need a securer >> solution. As I have mentioned in my previous email, this solution will make >> such attacks more difficult. By the way, SNI is not designed for this >> purpose, we need to do some additional work to address this issue, right? >> > > Again, you need a threat model. It sounds like you both do and do not > trust the client > > Dacheng: Threat model will be provided. Actually,we don’t try to protect > against the compromise of client. Or the scenario where an APP against > another one on the same device. This solution is used to protect against > the attackers who are able to monitoring the communication between the > client and the server > I'll await this. > > >> Hmm... I'm not at all sure that TLS should address this problem. However, >> my review >> was directed to whether your proposed solution even works on its own >> terms. >> >> Dacheng: That is why we need to raise the discussion here. It would be >> great if this issue could be considered by TLS WG. >> > > I don't find this to be a very compelling use case and I don't think it's > really appropriate to > try to solve it at the TLS layer. If you want to have secure flow > identification you should > do it at the IP or TCP layers. > > Dacheng:Ok, this requirement is quite strong. We need a solution to > address this issue if we want to use TLS to secure our APPs deployed on > hundreds o millions o mobile devices. Also,China mobile and Huawei are > working > with us on this issue. > No, you only need it if you want to use a specific charging model. Could you please tell me why it is better to address this issue at the IP > or TCP layer. To the best of my knowledge. There is no space in IPv4 > herders to insert any extensions. There are length limit in TCP options. In > addition, TCP is implemented in kernel mode. It will cost more if we try to > address this issue at the TCP or IP layer. > I think the architectural reasons here are pretty clear. IP is the common network transport layer, not TLS. Also, IPv6 has extension headers. -Ekr Look forward to more discussions. ^_^ > > Cheers > > Dacheng > >> >>>> >>>> >>> >> >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
