The IESG has received a request from the Transport Layer Security WG (tls) to consider the following document: - 'Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension' <draft-ietf-tls-session-hash-04.txt> as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2015-04-13. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract The Transport Layer Security (TLS) master secret is not cryptographically bound to important session parameters such as the server certificate. Consequently, it is possible for an active attacker to set up two sessions, one with a client and another with a server, such that the master secrets on the two sessions are the same. Thereafter, any mechanism that relies on the master secret for authentication, including session resumption, becomes vulnerable to a man-in-the-middle attack, where the attacker can simply forward messages back and forth between the client and server. This specification defines a TLS extension that contextually binds the master secret to a log of the full handshake that computes it, thus preventing such attacks. The file can be obtained via http://datatracker.ietf.org/doc/draft-ietf-tls-session-hash/ IESG discussion can be tracked via http://datatracker.ietf.org/doc/draft-ietf-tls-session-hash/ballot/ No IPR declarations have been submitted directly on this I-D. ID-NITs says this uses "NOT RECOMMENDED" but that that's not called out as a term. We'll fix that.
