Re: [tor-dev] Proposal 195: TLS certificate normalization for Tor 0.2.4.x

On Fri, Mar 9, 2012 at 8:03 PM, Robert Ransom wrote: > > Users need to specify a full certificate chain, not just the > end-entity certificate. Agreed that this is desirable, but if we take that route, we need to amend the current rule for deciding whether to use the v3/v2 vs the v1 handshake. C

Re: [tor-dev] Proposal 195: TLS certificate normalization for Tor 0.2.4.x

On Fri, Mar 9, 2012 at 7:18 PM, George Kadianakis [...] > What is the reason we don't like session resumption? Does it still > makes sense to keep it disabled even after #4436 is implemented? The main reason not to support session resumption is that, as noted later in this thread, it can require

Re: [tor-dev] Proposal 195: TLS certificate normalization for Tor 0.2.4.x

On Mar 10, 2012, at 2:18 AM, George Kadianakis wrote: > > IIRC stateless TLS session resumption does not quire keeping key > material. The required key material are all stored on the client side. You're thinking of this RFC5077 or its predecessor RFC4507, which only became implemented in OpenSS

Re: [tor-dev] Proposal 195: TLS certificate normalization for Tor 0.2.4.x

The proposal seems quite thought through. Some comments inline: On 03/09/2012 06:02 PM, Nick Mathewson wrote: > > > 1.2. Allow externally generated certificates > >It should be possible for a Tor relay operator to generate and >provide their own certificate and secret key. This will al

Re: [tor-dev] Proposal 195: TLS certificate normalization for Tor 0.2.4.x

Hello, I'd like to comment on this topic, as I see a potential for improvements to stay below the radar and avoid all kinds of (minor) detections. Perhaps countrary to how others reply, forgive me that I comment inline here as my reply is lengthy and typically comment on the block of text before

Re: [tor-dev] Proposal 195: TLS certificate normalization for Tor 0.2.4.x

Robert Ransom writes: > On 2012-03-10, George Kadianakis wrote: >> Nick Mathewson writes: >> >>> Filename: 195-TLS-normalization-for-024.txt >>> Title: TLS certificate normalization for Tor 0.2.4.x >>> Author: Jacob Appelbaum, Gladys Shufflebottom, Nick Mathewson, Tim Wilde >>> Created: 6-Mar-2

Re: [tor-dev] Proposal 195: TLS certificate normalization for Tor 0.2.4.x

On 2012-03-10, George Kadianakis wrote: > Nick Mathewson writes: > >> Filename: 195-TLS-normalization-for-024.txt >> Title: TLS certificate normalization for Tor 0.2.4.x >> Author: Jacob Appelbaum, Gladys Shufflebottom, Nick Mathewson, Tim Wilde >> Created: 6-Mar-2012 >> Status: Draft >> Target:

Re: [tor-dev] Proposal 195: TLS certificate normalization for Tor 0.2.4.x

On 2012-03-09, Nick Mathewson wrote: > Filename: 195-TLS-normalization-for-024.txt > Title: TLS certificate normalization for Tor 0.2.4.x > Author: Jacob Appelbaum, Gladys Shufflebottom, Nick Mathewson, Tim Wilde > Created: 6-Mar-2012 > Status: Draft > Target: 0.2.4.x > > > 0. Introduction > >

Re: [tor-dev] Proposal 195: TLS certificate normalization for Tor 0.2.4.x

Nick Mathewson writes: > Filename: 195-TLS-normalization-for-024.txt > Title: TLS certificate normalization for Tor 0.2.4.x > Author: Jacob Appelbaum, Gladys Shufflebottom, Nick Mathewson, Tim Wilde > Created: 6-Mar-2012 > Status: Draft > Target: 0.2.4.x > > > > 2. TLS handshake issues > > 2.1.

[tor-dev] Proposal 195: TLS certificate normalization for Tor 0.2.4.x

Filename: 195-TLS-normalization-for-024.txt Title: TLS certificate normalization for Tor 0.2.4.x Author: Jacob Appelbaum, Gladys Shufflebottom, Nick Mathewson, Tim Wilde Created: 6-Mar-2012 Status: Draft Target: 0.2.4.x 0. Introduction The TLS (Transport Layer Security) protocol was designed