Re: [abfab] draft-ietf-abfab-arch-03.txt - GSS
Hannes Tschofenig <hannes.tschofenig@gmx.net> Fri, 17 August 2012 11:55 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 804A021F8513 for <abfab@ietfa.amsl.com>; Fri, 17 Aug 2012 04:55:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.606
X-Spam-Level:
X-Spam-Status: No, score=-102.606 tagged_above=-999 required=5 tests=[AWL=-0.007, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M1x9t-dlRTNq for <abfab@ietfa.amsl.com>; Fri, 17 Aug 2012 04:55:52 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id 7544A21F84B9 for <abfab@ietf.org>; Fri, 17 Aug 2012 04:55:52 -0700 (PDT)
Received: (qmail invoked by alias); 17 Aug 2012 11:55:51 -0000
Received: from a88-115-216-191.elisa-laajakaista.fi (EHLO [192.168.100.105]) [88.115.216.191] by mail.gmx.net (mp034) with SMTP; 17 Aug 2012 13:55:51 +0200
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX1+Ih4UpEiOI03kgsPtMlnylNUBKLmBFw+MS6zRf1y oFwVDLEuJx95HS
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <tsl393n9fr8.fsf@mit.edu>
Date: Fri, 17 Aug 2012 14:55:49 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <0AF3B21D-4112-4733-B370-506474E3CA42@gmx.net>
References: <57E38F60-AF22-472B-92C3-1FC22EFEE5E1@gmx.net> <tsl393n9fr8.fsf@mit.edu>
To: Sam Hartman <hartmans@painless-security.com>
X-Mailer: Apple Mail (2.1084)
X-Y-GMX-Trusted: 0
Cc: Jim Schaad <ietf@augustcellars.com>, abfab@ietf.org
Subject: Re: [abfab] draft-ietf-abfab-arch-03.txt - GSS
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/abfab>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Aug 2012 11:55:53 -0000
Hi Sam, thanks also for the quick response to this mail. On Aug 16, 2012, at 3:35 PM, Sam Hartman wrote: >>>>>> "Hannes" == Hannes Tschofenig <hannes.tschofenig@gmx.net> writes: > > Hannes> Section 3.2: > > Hannes> However there are a variety of situations where this > Hannes> authentication is not checked for policy or usability > Hannes> reasons. > > Hannes> We cannot make the assumption that the software does not do > Hannes> authentication or check the result of the authentication > Hannes> process since then the entire security solution does not > Hannes> work anymore. > > Section 3.2 is all about providing alternatives when this check is not > done. > This check is not done in practice a *lot*. There are lots of > application libraries that do not check server certificates. > I guess we just have a different understanding here. My strategy is to fix the lack of certificate checking. Your strategy is to define a new specification that provides an additional mechanism for doing a similar check assuming that it would get implemented. I am failing to see why people would implement your alternative mechanisms when they did not bother to implement the certificate checking. > > Actually the TLS channel bindings have been designed with a couple of > strategies for dealing with load balancers and in general for allowing a > server to securly indicate that it cannot provide channel bindings > and so server certs are all you get. Interesting. I didn't know that. Where do I read more about this? > Hannes> consistent with the GSS-API specification. XXXThere is an > Hannes> open question here as to the details; today RFC 5554 > Hannes> governs. We could use that and the current draft assumes we > Hannes> will. However in Beijing we became aware of some changes to > Hannes> these details that would make life much better for GSS > Hannes> authentication of HTTP. We should resolve this with kitten > Hannes> and replace this note with a reference to the spec we're > Hannes> actually following. > > Hannes> Regarding the inline note have we come to a conclusion about > Hannes> this issue already? > > Yeah, we're just using the existing stuff. > Nothing new has materialized in the IETF. > Great to hear. Maybe it would be good to fix this note in the text so that we can finish it asap. > Hannes> Section 3.3: > > Hannes> GSS-API provides a pseudo-random function. While the > Hannes> pseudo-random function does not involve sending data over > Hannes> the wire, it provides an algorithm that both the initiator > Hannes> and acceptor can run in order to arrive at the same key > Hannes> value. This is useful for designs where a successful > Hannes> authentication is used to key some other function. This is > Hannes> similar in concept to the TLS extractor. No current IETF > Hannes> protocols require this. However GSS-EAP supports this > Hannes> service because it is valuable for the future and easy to do > Hannes> given per- message services. Non-IETF protocols are > Hannes> expected to take advantage of this in the near future. > > > Hannes> I would delete this paragraph since it is confusing, is not > Hannes> relevant for the work we are doing, and does not relate to > Hannes> the previous paragraph either. > > How is this not relevant? > GSS-EAP implementations are required to provide gss_pseudo_random. > Hmmm. Maybe I should re-read GSS-EAP. Will do that and then I will come back to this issue. Ciao Hannes > > Hannes> Ciao Hannes > > Hannes> _______________________________________________ abfab > Hannes> mailing list abfab@ietf.org > Hannes> https://www.ietf.org/mailman/listinfo/abfab >
- [abfab] draft-ietf-abfab-arch-03.txt - GSS Hannes Tschofenig
- Re: [abfab] draft-ietf-abfab-arch-03.txt - GSS Sam Hartman
- Re: [abfab] draft-ietf-abfab-arch-03.txt - GSS Hannes Tschofenig