shibboleth-dev - Re: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs
Subject: Shibboleth Developers
List archive
Re: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs
Chronological Thread
- From: Kaspar Brand <>
- To:
- Subject: Re: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs
- Date: Thu, 10 Feb 2011 08:46:30 +0100
On 09.02.2011 17:58, Cantor, Scott E. wrote:
>>> Don't focus on sessionid, in SSL3 and later. Work with the
>>> channel binding that cues off the finished messages (not the
>>> endpoint certs).
>>
>> Even if we understood how that would work, Java doesn't expose
>> that message.
>
> Actually, thinking about this, AFAIK, the server end of a bound TLS
> channel has to be relying on the session ID to know that it's the
> same client anyway. The Finished message is only there at the time
> the channel is bound, and subsequent traffic has to be recognized as
> coming from the same client for it to be useful. I don't think
> there's any other way to do that but the session ID across separate
> TCP connections.
RFC 5929 is somewhat pertinent here. I'm not sure if/what TLS
implementations already expose tls-unique to the app, though (cf. also
section 7 of said RFC).
Kaspar
- RE: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, (continued)
- RE: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Cantor, Scott E., 02/09/2011
- Re: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Chad La Joie, 02/09/2011
- RE: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Peter Williams, 02/09/2011
- RE: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Peter Williams, 02/09/2011
- RE: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Cantor, Scott E., 02/09/2011
- RE: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Cantor, Scott E., 02/09/2011
- Re: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Bradley Schwoerer, 02/09/2011
- Re: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Cantor, Scott E., 02/09/2011
- Re: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Michael J. Wheeler, 02/09/2011
- Re: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Eric Norman, 02/09/2011
- Re: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Cantor, Scott E., 02/09/2011
- Re: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Kaspar Brand, 02/10/2011
- RE: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Cantor, Scott E., 02/10/2011
- Re: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Bradley Schwoerer, 02/09/2011
- RE: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Cantor, Scott E., 02/09/2011
- RE: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Cantor, Scott E., 02/09/2011
- RE: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Cantor, Scott E., 02/09/2011
Archive powered by MHonArc 2.6.16.