IETF Logo Mail Archive

Re: [CHANNEL-BINDING] TLS endpoint channel bindings in SCRAM

Dave Cridland <dave@cridland.net> Fri, 03 April 2009 16:30 UTC

Return-Path: <dave@cridland.net>
X-Original-To: channel-binding@core3.amsl.com
Delivered-To: channel-binding@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 063463A680D for <channel-binding@core3.amsl.com>; Fri, 3 Apr 2009 09:30:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.594
X-Spam-Level:
X-Spam-Status: No, score=-2.594 tagged_above=-999 required=5 tests=[AWL=0.005, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gQwAG-7U9WCP for <channel-binding@core3.amsl.com>; Fri, 3 Apr 2009 09:30:58 -0700 (PDT)
Received: from peirce.dave.cridland.net (peirce.dave.cridland.net [217.155.137.61]) by core3.amsl.com (Postfix) with ESMTP id B0CAF3A679F for <channel-binding@ietf.org>; Fri, 3 Apr 2009 09:30:57 -0700 (PDT)
Received: from puncture (turner.dave.cridland.net [217.155.137.60]) by peirce.dave.cridland.net (submission) via TCP with ESMTPA id <SdY59QBD2rLx@peirce.dave.cridland.net>; Fri, 3 Apr 2009 17:31:54 +0100
References: <20090403152535.GY1500@Sun.COM>
In-Reply-To: <20090403152535.GY1500@Sun.COM>
MIME-Version: 1.0
Message-Id: <15429.1238776301.804018@puncture>
Date: Fri, 03 Apr 2009 17:31:41 +0100
From: Dave Cridland <dave@cridland.net>
To: Nicolas Williams <Nicolas.Williams@sun.com>
Content-Type: text/plain; delsp="yes"; charset="us-ascii"; format="flowed"
Cc: Mark Novak <Mark.Novak@microsoft.com>, channel-binding@ietf.org, Stefan Santesson <stefans@microsoft.com>, Larry Zhu <lzhu@windows.microsoft.com>, ietf-sasl@imc.org, Paul Leach <paulle@windows.microsoft.com>, Kevin Damour <kdamour@microsoft.com>, Jeffrey Altman <jaltman@secure-endpoints.com>, Sam Hartman <hartmans-ietf@mit.edu>
Subject: Re: [CHANNEL-BINDING] TLS endpoint channel bindings in SCRAM
X-BeenThere: channel-binding@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of channel binding IANA registry requests and specifications <channel-binding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/channel-binding>, <mailto:channel-binding-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/channel-binding>
List-Post: <mailto:channel-binding@ietf.org>
List-Help: <mailto:channel-binding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/channel-binding>, <mailto:channel-binding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2009 16:30:59 -0000

On Fri Apr  3 16:25:36 2009, Nicolas Williams wrote:
> Pasi's comment indicates that your premise for this thread is wrong.

I certainly hope so. Nothing would please me more than being wrong  
here.

>   I
> don't know though.  Can you comment on Pasi's comments?  Are there  
> any
> commonly used TLS implementations that encode the server cert
> differently on the wire than in their APIs for getting at the server
> cert?

I have no idea at all, I'm sorry to say. It makes sense to me that  
X.509 certs, at least, would always be encoded in DER, since that's  
the form in which they're signed.

That then reduces the problem of the existing channel binding to  
being figuring out which hash to use, and I strongly suspect that  
just using SHA-256 is sufficient for now. (it's unfortunate this is  
different to the hash algorithm we seem to have settled on for SCRAM,  
but it's far from a blocker, merely a mild inconvenience).

Dave.
-- 
Dave Cridland - mailto:dave@cridland.net - xmpp:dwd@dave.cridland.net
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade

v2.23.0 | Report a Bug | By Email