FYI... In-Stream Key Negotiation Initial Draft

For the purposes of discussion, I have published a rough first draft of the
SPDY KEY_NEGO mechanism I discussed previously.

The short version is: this introduces the ability to perform key
negotiation for encrypted streams *within* an established SPDY session,
even if TLS is not being used to secure the connection. This is largely
theoretical and experimental at this point but I have done some initial
implementation to at least demonstrate (mostly for myself) that the basic
idea works in theory. However, there's much that would need to be done.

To answer the more immediate question: Why would we do this... the short
answer is that this approach gives us a number of things that TLS currently
does not.. specifically: the ability to multiplex secure and insecure
traffic over a single TCP/IP connection, server-initiated security,
in-stream end-to-end integrity checking, and dynamic, on-the-fly
(re)negotiation of keys on the fly without having to tear down and
reestablish the connection.

There is much more that needs to be done to flesh this out, obviously, and
I'm not yet convinced that it's a great idea. Much more experimentation and
implementation would need to go into determining that, but I wanted to get
the basic idea documented and out there for discussion and to get some
additional eyes looking at it.

As always, comments and feedback are welcomed.

- James

Received on Friday, 3 August 2012 22:22:28 UTC