IETF Logo Mail Archive

Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD review comments

Nicolas Williams <Nicolas.Williams@sun.com> Thu, 11 October 2007 17:10 UTC

Return-path: <channel-binding-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ig1Y9-0001VE-Qj; Thu, 11 Oct 2007 13:10:17 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ig1Y7-0001U9-G6 for channel-binding@ietf.org; Thu, 11 Oct 2007 13:10:15 -0400
Received: from sca-ea-mail-4.sun.com ([192.18.43.22]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1Ig1Y6-0006hF-Pv for channel-binding@ietf.org; Thu, 11 Oct 2007 13:10:15 -0400
Received: from centralmail1brm.Central.Sun.COM ([129.147.62.1]) by sca-ea-mail-4.sun.com (8.13.6+Sun/8.12.9) with ESMTP id l9BHAErs005418 for <channel-binding@ietf.org>; Thu, 11 Oct 2007 17:10:14 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by centralmail1brm.Central.Sun.COM (8.13.6+Sun/8.13.6/ENSMAIL, v2.2) with ESMTP id l9BHADFd008588 for <channel-binding@ietf.org>; Thu, 11 Oct 2007 11:10:13 -0600 (MDT)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id l9BHADf7027065; Thu, 11 Oct 2007 12:10:13 -0500 (CDT)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id l9BHACPo027064; Thu, 11 Oct 2007 12:10:13 -0500 (CDT)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Thu, 11 Oct 2007 12:10:12 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Sam Hartman <hartmans-ietf@mit.edu>
Subject: Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD review comments
Message-ID: <20071011171012.GP24532@Sun.COM>
Mail-Followup-To: Sam Hartman <hartmans-ietf@mit.edu>, Jeffrey Hutzelman <jhutz@cmu.edu>, channel-binding@ietf.org, ietf-sasl@imc.org
References: <tslk5pwugzz.fsf@mit.edu> <20071009212516.GP24532@Sun.COM> <73A1D8BFF0B322B71283BF6B@sirius.fac.cs.cmu.edu> <20071010143650.GT24532@Sun.COM> <tslmyurnhmv.fsf@mit.edu> <20071010154115.GY24532@Sun.COM> <87hckz2ado.fsf@mocca.josefsson.org> <5A6B5081F6ECBC610E6C2C12@sirius.fac.cs.cmu.edu> <20071011151015.GN24532@Sun.COM> <tsl1wc1boha.fsf@mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <tsl1wc1boha.fsf@mit.edu>
User-Agent: Mutt/1.5.7i
X-Spam-Score: 0.0 (/)
X-Scan-Signature: f4c2cf0bccc868e4cc88dace71fb3f44
Cc: channel-binding@ietf.org, ietf-sasl@imc.org
X-BeenThere: channel-binding@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussion of channel binding IANA registry requests and specifications <channel-binding.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/channel-binding>, <mailto:channel-binding-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/channel-binding>
List-Post: <mailto:channel-binding@ietf.org>
List-Help: <mailto:channel-binding-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/channel-binding>, <mailto:channel-binding-request@ietf.org?subject=subscribe>
Errors-To: channel-binding-bounces@ietf.org

On Thu, Oct 11, 2007 at 12:33:21PM -0400, Sam Hartman wrote:
> I've become convinced that clarification is needed.
> I'll note that it's simpler if we say there is always one slot and that the
> 	challeng binding data includes the prefix and the separator.

Sure.

There already is a requirement that the name of the channel binding type
must be used to avoid ambiguity (3rd bullet, page 7).

I propose the following addition to that requirement:  "Where the
authentication interfaces provide a slot for channel binding data but no
slot for channel binfing type, then the application MUST prefix the
US-ASCII name of the channel binding type ("prefix"), and a separator
character, ':', to the channel binding data an octet string."

> I think that option is most likely to be interoperable.

The risk in not giving this guidance is that some apps/frameworks will
get this wrong.  I'm not sure that there's risk to interoperability, but
there's no need to argue about that.

> One down side of that option is that there may be people using channel
> bindings with GSS today in a manner that differs from that.

Tough.  But then, there aren't many of them.  Also, the ambiguity is
extremely unlikely to cause any problems, except in nested channel
circumstances.

> It probably is not a big deal since any given application will either
> use this framework or not.

Right.

> However we could be neutral on whether applications need one slot or
> two.  If so, we need to at least say that we're neutral on this.  I
> think we need to at least define a separator to use when you only have
> one slot.

That's my position.  However, if the consensus is that we should take a
less neutral position on this then I would propose this text:

   o In the interests of simplicity it is RECOMMENDED that
     authentication framework/mechanism APIs provide a single slot for
     channel binding data, and none for the name of channel binding
     type.

If we want to stay neutral on this issue we can always add this text:

   o Authentication framework/mechanism APIs MAY provide a slot for name
     of channel binding type that is distinct from a slot for channel
     binding data.  In that case applications MUST NOT prefix the name
     of the channel binding type to the channel binding data and MUST
     instead provide the name of the channel binding type as an input in
     the correct slot.

Nico
-- 

_______________________________________________
CHANNEL-BINDING mailing list
CHANNEL-BINDING@ietf.org
https://www1.ietf.org/mailman/listinfo/channel-binding

v2.23.0 | Report a Bug | By Email