Re: [CHANNEL-BINDING] TLS endpoint channel bindings in SCRAM
Dave Cridland <dave@cridland.net> Fri, 03 April 2009 16:30 UTC
Return-Path: <dave@cridland.net>
X-Original-To: channel-binding@core3.amsl.com
Delivered-To: channel-binding@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 063463A680D for <channel-binding@core3.amsl.com>; Fri, 3 Apr 2009 09:30:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.594
X-Spam-Level:
X-Spam-Status: No, score=-2.594 tagged_above=-999 required=5 tests=[AWL=0.005, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gQwAG-7U9WCP for <channel-binding@core3.amsl.com>; Fri, 3 Apr 2009 09:30:58 -0700 (PDT)
Received: from peirce.dave.cridland.net (peirce.dave.cridland.net [217.155.137.61]) by core3.amsl.com (Postfix) with ESMTP id B0CAF3A679F for <channel-binding@ietf.org>; Fri, 3 Apr 2009 09:30:57 -0700 (PDT)
Received: from puncture (turner.dave.cridland.net [217.155.137.60]) by peirce.dave.cridland.net (submission) via TCP with ESMTPA id <SdY59QBD2rLx@peirce.dave.cridland.net>; Fri, 3 Apr 2009 17:31:54 +0100
References: <20090403152535.GY1500@Sun.COM>
In-Reply-To: <20090403152535.GY1500@Sun.COM>
MIME-Version: 1.0
Message-Id: <15429.1238776301.804018@puncture>
Date: Fri, 03 Apr 2009 17:31:41 +0100
From: Dave Cridland <dave@cridland.net>
To: Nicolas Williams <Nicolas.Williams@sun.com>
Content-Type: text/plain; delsp="yes"; charset="us-ascii"; format="flowed"
Cc: Mark Novak <Mark.Novak@microsoft.com>, channel-binding@ietf.org, Stefan Santesson <stefans@microsoft.com>, Larry Zhu <lzhu@windows.microsoft.com>, ietf-sasl@imc.org, Paul Leach <paulle@windows.microsoft.com>, Kevin Damour <kdamour@microsoft.com>, Jeffrey Altman <jaltman@secure-endpoints.com>, Sam Hartman <hartmans-ietf@mit.edu>
Subject: Re: [CHANNEL-BINDING] TLS endpoint channel bindings in SCRAM
X-BeenThere: channel-binding@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of channel binding IANA registry requests and specifications <channel-binding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/channel-binding>, <mailto:channel-binding-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/channel-binding>
List-Post: <mailto:channel-binding@ietf.org>
List-Help: <mailto:channel-binding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/channel-binding>, <mailto:channel-binding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2009 16:30:59 -0000
On Fri Apr 3 16:25:36 2009, Nicolas Williams wrote: > Pasi's comment indicates that your premise for this thread is wrong. I certainly hope so. Nothing would please me more than being wrong here. > I > don't know though. Can you comment on Pasi's comments? Are there > any > commonly used TLS implementations that encode the server cert > differently on the wire than in their APIs for getting at the server > cert? I have no idea at all, I'm sorry to say. It makes sense to me that X.509 certs, at least, would always be encoded in DER, since that's the form in which they're signed. That then reduces the problem of the existing channel binding to being figuring out which hash to use, and I strongly suspect that just using SHA-256 is sufficient for now. (it's unfortunate this is different to the hash algorithm we seem to have settled on for SCRAM, but it's far from a blocker, merely a mild inconvenience). Dave. -- Dave Cridland - mailto:dave@cridland.net - xmpp:dwd@dave.cridland.net - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/ - http://dave.cridland.net/ Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
- Re: [CHANNEL-BINDING] TLS endpoint channel bindin… Nicolas Williams
- Re: [CHANNEL-BINDING] TLS endpoint channel bindin… Simon Josefsson
- Re: [CHANNEL-BINDING] TLS endpoint channel bindin… Dave Cridland
- Re: [CHANNEL-BINDING] TLS endpoint channel bindin… Pasi.Eronen
- Re: [CHANNEL-BINDING] TLS endpoint channel bindin… Nicolas Williams
- Re: [CHANNEL-BINDING] TLS endpoint channel bindin… Nicolas Williams
- Re: [CHANNEL-BINDING] TLS endpoint channel bindin… Dave Cridland
- Re: [CHANNEL-BINDING] TLS endpoint channel bindin… Nicolas Williams