IETF Logo Mail Archive

Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD review comments

Sam Hartman <hartmans-ietf@mit.edu> Thu, 11 October 2007 16:33 UTC

Return-path: <channel-binding-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ig0ya-0007I7-R1; Thu, 11 Oct 2007 12:33:32 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ig0yZ-00070M-45 for channel-binding@ietf.org; Thu, 11 Oct 2007 12:33:31 -0400
Received: from carter-zimmerman.suchdamage.org ([69.25.196.178]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1Ig0yT-00050r-5r for channel-binding@ietf.org; Thu, 11 Oct 2007 12:33:26 -0400
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 9853B4A45; Thu, 11 Oct 2007 12:33:21 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Jeffrey Hutzelman <jhutz@cmu.edu>
Subject: Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD review comments
References: <tsl4ph0vz30.fsf@mit.edu> <20071009203406.GL24532@Sun.COM> <tslk5pwugzz.fsf@mit.edu> <20071009212516.GP24532@Sun.COM> <73A1D8BFF0B322B71283BF6B@sirius.fac.cs.cmu.edu> <20071010143650.GT24532@Sun.COM> <tslmyurnhmv.fsf@mit.edu> <20071010154115.GY24532@Sun.COM> <87hckz2ado.fsf@mocca.josefsson.org> <5A6B5081F6ECBC610E6C2C12@sirius.fac.cs.cmu.edu> <20071011151015.GN24532@Sun.COM>
Date: Thu, 11 Oct 2007 12:33:21 -0400
In-Reply-To: <20071011151015.GN24532@Sun.COM> (Nicolas Williams's message of "Thu, 11 Oct 2007 10:10:15 -0500")
Message-ID: <tsl1wc1boha.fsf@mit.edu>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8b30eb7682a596edff707698f4a80f7d
Cc: channel-binding@ietf.org, ietf-sasl@imc.org
X-BeenThere: channel-binding@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussion of channel binding IANA registry requests and specifications <channel-binding.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/channel-binding>, <mailto:channel-binding-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/channel-binding>
List-Post: <mailto:channel-binding@ietf.org>
List-Help: <mailto:channel-binding-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/channel-binding>, <mailto:channel-binding-request@ietf.org?subject=subscribe>
Errors-To: channel-binding-bounces@ietf.org

    >> Provided we clarify in draft-williams-on-channel-bindings that
    >> channel binding data includes the prefix, there is no problem
    >> with the protocol bits in GS2.  However, you are missing a
    >> requirement to check that the channel binding data sent by the
    >> client and server is actually the same.  In fact, you provide
    >> virtually no information on what to do with the data elements
    >> related to channel binding.  I think this needs some work.

To: Jeffrey Hutzelman <jhutz@cmu.edu>
Cc: Simon Josefsson <simon@josefsson.org>rg>,  channel-binding@ietf.org,  ietf-sasl@imc.org
Subject: Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD review comments
References: <tsl4ph0vz30.fsf@mit.edu> <20071009203406.GL24532@Sun.COM>
	<tslk5pwugzz.fsf@mit.edu> <20071009212516.GP24532@Sun.COM>
	<73A1D8BFF0B322B71283BF6B@sirius.fac.cs.cmu.edu>
	<20071010143650.GT24532@Sun.COM> <tslmyurnhmv.fsf@mit.edu>
	<20071010154115.GY24532@Sun.COM> <87hckz2ado.fsf@mocca.josefsson.org>
	<5A6B5081F6ECBC610E6C2C12@sirius.fac.cs.cmu.edu>
	<20071011151015.GN24532@Sun.COM>
X-Draft-From: ("inbox.ietf.personal" 24575)
    Nicolas> I now believe that no such clarification is needed.  We
    Nicolas> may want to clarify that application protocols using
    Nicolas> channel binding must specify how the prefix is used, and
    Nicolas> we may want to suggest using it as, well, a prefix (with
    Nicolas> a separator character), in those cases where a single
    Nicolas> string is accepted by the authentication
    Nicolas> framework/mechanism.

I've become convinced that clarification is needed.
I'll note that it's simpler if we say there is always one slot and that the
	challeng binding data includes the prefix and the separator.
I think that option is most likely to be interoperable.
One down side of that option is that there may be people using channel
	bindings with GSS today in a manner that differs from that.
It probably is not a big deal since any given application will either use this framework or not.

However we could be neutral on whether applications need one slot or two.
If so, we need to at least say that we're neutral on this.
I think we need to at least define a separator to use when you only have one
	slot.

_______________________________________________
CHANNEL-BINDING mailing list
CHANNEL-BINDING@ietf.org
https://www1.ietf.org/mailman/listinfo/channel-binding

v2.8.7 | Report a Bug | By Email