IETF Logo Mail Archive

Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD review comments

Nicolas Williams <Nicolas.Williams@sun.com> Tue, 09 October 2007 20:37 UTC

Return-path: <channel-binding-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IfLpv-0004gC-G2; Tue, 09 Oct 2007 16:37:51 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IfLpt-0004ar-TQ for channel-binding@ietf.org; Tue, 09 Oct 2007 16:37:49 -0400
Received: from brmea-mail-1.sun.com ([192.18.98.31]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IfLpn-0002rM-LP for channel-binding@ietf.org; Tue, 09 Oct 2007 16:37:49 -0400
Received: from centralmail2brm.Central.Sun.COM ([129.147.62.14]) by brmea-mail-1.sun.com (8.13.6+Sun/8.12.9) with ESMTP id l99KbXT6004636 for <channel-binding@ietf.org>; Tue, 9 Oct 2007 20:37:33 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by centralmail2brm.Central.Sun.COM (8.13.6+Sun/8.13.6/ENSMAIL, v2.2) with ESMTP id l99KbWKP000881 for <channel-binding@ietf.org>; Tue, 9 Oct 2007 14:37:32 -0600 (MDT)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id l99KbW66025210; Tue, 9 Oct 2007 15:37:32 -0500 (CDT)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id l99KbVhZ025209; Tue, 9 Oct 2007 15:37:31 -0500 (CDT)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Tue, 09 Oct 2007 15:37:31 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Jeffrey Hutzelman <jhutz@cmu.edu>
Subject: Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD review comments
Message-ID: <20071009203731.GM24532@Sun.COM>
Mail-Followup-To: Jeffrey Hutzelman <jhutz@cmu.edu>, Sam Hartman <hartmans-ietf@mit.edu>, Simon Josefsson <simon@josefsson.org>, channel-binding@ietf.org, ietf-sasl@imc.org
References: <tslbqcf8eou.fsf@mit.edu> <871wc46umk.fsf@mocca.josefsson.org> <tsl4ph0vz30.fsf@mit.edu> <60E8559BF5690B813666CABD@sirius.fac.cs.cmu.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <60E8559BF5690B813666CABD@sirius.fac.cs.cmu.edu>
User-Agent: Mutt/1.5.7i
X-Spam-Score: -1.0 (-)
X-Scan-Signature: 50a516d93fd399dc60588708fd9a3002
Cc: channel-binding@ietf.org, Sam Hartman <hartmans-ietf@mit.edu>, ietf-sasl@imc.org
X-BeenThere: channel-binding@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussion of channel binding IANA registry requests and specifications <channel-binding.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/channel-binding>, <mailto:channel-binding-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/channel-binding>
List-Post: <mailto:channel-binding@ietf.org>
List-Help: <mailto:channel-binding-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/channel-binding>, <mailto:channel-binding-request@ietf.org?subject=subscribe>
Errors-To: channel-binding-bounces@ietf.org

On Tue, Oct 09, 2007 at 04:26:59PM -0400, Jeffrey Hutzelman wrote:
> I think the base draft is almost perfectly unclear on this issue.  The 

:(

> requirement Simon quotes makes it clear that the channel type must be 
> communicated and that the application must use it to determine which 
> channel's bindings are acutally in use, but says nothing about whether the 
> communication is up to the application or by virtue of the channel binding 
> data being self-identifying.
> 
> Another listed requirements is this:
> 
>   o  The channel bindings for a given type of secure channel MUST be
>      constructed in such a way that an MITM could not easily force the
>      channel bindings of a given channel to match those of another.
> 
> On the one hand, this suggests that channel bindings are _not_ inherently 
> self-identifying, but at the same time, it imposes a requirement that is 
> most easily met by making them so.  In addition, there are many places 
> where the base document refers to the channel type name as a "prefix", 
> implying that all channel bindings would start with a channel type name.

The intention was for the applications to add the prefix (channel
bindings being an octet string there's no need for an additional
"slot").

> So, I think we need to update the base document to be clear on what should 
> happen here.  I believe that correct behavior requires that channel types 
> be identified in a consistent way for all channels, so this cannot be up to 
> the individual channel type specifications.  It could be done on a 
> per-application basis, but I see no benefit to doing so rather than using 
> the same method for all applications.

Hmmm, OK, I could go either way.  But in some cases the application may
be in charge of constructing the channel binding from things like
end-point identities, so the application will be responsible, at least
in some cases, for knowing the prefix and adding it in.

> -- Jeff
> 
> PS: IIRC, draft-williams-on-channel-bindings has already been approved and 
> is awaiting publication as an RFC.  If it needs to change in order to 
> address this issue, maybe someone should give the RFC Editor a heads up?

We're not in AUTH48 yet, so we can still make a clarification here.

Nico
-- 

_______________________________________________
CHANNEL-BINDING mailing list
CHANNEL-BINDING@ietf.org
https://www1.ietf.org/mailman/listinfo/channel-binding

v2.23.0 | Report a Bug | By Email