RE: "Onion model" explained from Joseph Hui on 2002-07-12 (www-ws-arch@w3.org from July 2002)

From: Joseph Hui <Joseph.Hui@exodus.net>
Date: Fri, 12 Jul 2002 10:32:33 -0700
To: "Pete Wenzel" <pete@seebeyond.com>
Cc: <www-ws-arch@w3.org>
Message-ID: <45258A4365C6B24A9832BFE224837D551D1CA1@SJDCEX01.int.exodus.net>

> From: Pete Wenzel [mailto:pete@seebeyond.com]
[snip]
I've already expressed the acceptability of stretching 
the authN into authZ in day-to-day convention, the nuances
between authN & authZ, and authN-alone-suffices case (of which
the most vigorous example being the secured heartbeat notifiers),
so there's no value in my repeating the spiel.

> > Say, if you buy stuff from an
> > https website, do you chllenge the sellers?  I bet you don't,
> > even though it's your money that's at stake. 
> 
> I trust that my SSL/TLS-enabled browser challenges the seller's web
> server.

I'm interested in knowing which brand of browsers uses
challenge/response to verify ownership of private keys
(of signed certs).

> It encrypts the pre-master secret using the (supposed)
> server's certificate.  If the server is unable to decrypt it, that
> proves it likely to be unauthentic, and the protocol terminates.

In SSL/TLS, the pre-master secret (PMS) is not meant for the
purpose of challenge/response; and doesn't serve such purpose.
The PMS is for deriving the master secret (MS, which will then be
used for generating the symmetric keys (for the TLS session)).
During a TLS handshake, your browser (ala TLS client), after
verifying the cert from the TLS server (contained in the
handshake:ServerHello message), encrypts it with the TLS
server's public key and sends it to the TLS server.
The authN proof -- proof is not the most desirable
word I would use here, but I use it anyway for the
sake of corresponding with your text -- lies in the MAC
of all handshake messages, starting from handshake:ClientHello,
up to and including the handshake:Finished!  In short, the
coup de grace authN is in the MAC, not in the encrypted PMS.

Joe Hui
Exodus, a Cable & Wireless service
==============================================
> 
> --Pete
> 
> > Joe Hui
> > Exodus, a Cable & Wireless service
> > ========================================
> > > 
> > > --Pete
> > > Pete Wenzel <pete@seebeyond.com>
> > > SeeBeyond
> > > Standards & Product Strategy
> > > +1-626-471-6311 (US-Pacific)
>

Received on Friday, 12 July 2002 13:31:54 UTC