Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD review comments
Nicolas Williams <Nicolas.Williams@sun.com> Tue, 09 October 2007 20:37 UTC
Return-path: <channel-binding-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IfLpv-0004gC-G2; Tue, 09 Oct 2007 16:37:51 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IfLpt-0004ar-TQ for channel-binding@ietf.org; Tue, 09 Oct 2007 16:37:49 -0400
Received: from brmea-mail-1.sun.com ([192.18.98.31]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IfLpn-0002rM-LP for channel-binding@ietf.org; Tue, 09 Oct 2007 16:37:49 -0400
Received: from centralmail2brm.Central.Sun.COM ([129.147.62.14]) by brmea-mail-1.sun.com (8.13.6+Sun/8.12.9) with ESMTP id l99KbXT6004636 for <channel-binding@ietf.org>; Tue, 9 Oct 2007 20:37:33 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by centralmail2brm.Central.Sun.COM (8.13.6+Sun/8.13.6/ENSMAIL, v2.2) with ESMTP id l99KbWKP000881 for <channel-binding@ietf.org>; Tue, 9 Oct 2007 14:37:32 -0600 (MDT)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id l99KbW66025210; Tue, 9 Oct 2007 15:37:32 -0500 (CDT)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id l99KbVhZ025209; Tue, 9 Oct 2007 15:37:31 -0500 (CDT)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Tue, 09 Oct 2007 15:37:31 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Jeffrey Hutzelman <jhutz@cmu.edu>
Subject: Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD review comments
Message-ID: <20071009203731.GM24532@Sun.COM>
Mail-Followup-To: Jeffrey Hutzelman <jhutz@cmu.edu>, Sam Hartman <hartmans-ietf@mit.edu>, Simon Josefsson <simon@josefsson.org>, channel-binding@ietf.org, ietf-sasl@imc.org
References: <tslbqcf8eou.fsf@mit.edu> <871wc46umk.fsf@mocca.josefsson.org> <tsl4ph0vz30.fsf@mit.edu> <60E8559BF5690B813666CABD@sirius.fac.cs.cmu.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <60E8559BF5690B813666CABD@sirius.fac.cs.cmu.edu>
User-Agent: Mutt/1.5.7i
X-Spam-Score: -1.0 (-)
X-Scan-Signature: 50a516d93fd399dc60588708fd9a3002
Cc: channel-binding@ietf.org, Sam Hartman <hartmans-ietf@mit.edu>, ietf-sasl@imc.org
X-BeenThere: channel-binding@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussion of channel binding IANA registry requests and specifications <channel-binding.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/channel-binding>, <mailto:channel-binding-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/channel-binding>
List-Post: <mailto:channel-binding@ietf.org>
List-Help: <mailto:channel-binding-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/channel-binding>, <mailto:channel-binding-request@ietf.org?subject=subscribe>
Errors-To: channel-binding-bounces@ietf.org
On Tue, Oct 09, 2007 at 04:26:59PM -0400, Jeffrey Hutzelman wrote: > I think the base draft is almost perfectly unclear on this issue. The :( > requirement Simon quotes makes it clear that the channel type must be > communicated and that the application must use it to determine which > channel's bindings are acutally in use, but says nothing about whether the > communication is up to the application or by virtue of the channel binding > data being self-identifying. > > Another listed requirements is this: > > o The channel bindings for a given type of secure channel MUST be > constructed in such a way that an MITM could not easily force the > channel bindings of a given channel to match those of another. > > On the one hand, this suggests that channel bindings are _not_ inherently > self-identifying, but at the same time, it imposes a requirement that is > most easily met by making them so. In addition, there are many places > where the base document refers to the channel type name as a "prefix", > implying that all channel bindings would start with a channel type name. The intention was for the applications to add the prefix (channel bindings being an octet string there's no need for an additional "slot"). > So, I think we need to update the base document to be clear on what should > happen here. I believe that correct behavior requires that channel types > be identified in a consistent way for all channels, so this cannot be up to > the individual channel type specifications. It could be done on a > per-application basis, but I see no benefit to doing so rather than using > the same method for all applications. Hmmm, OK, I could go either way. But in some cases the application may be in charge of constructing the channel binding from things like end-point identities, so the application will be responsible, at least in some cases, for knowing the prefix and adding it in. > -- Jeff > > PS: IIRC, draft-williams-on-channel-bindings has already been approved and > is awaiting publication as an RFC. If it needs to change in order to > address this issue, maybe someone should give the RFC Editor a heads up? We're not in AUTH48 yet, so we can still make a clarification here. Nico -- _______________________________________________ CHANNEL-BINDING mailing list CHANNEL-BINDING@ietf.org https://www1.ietf.org/mailman/listinfo/channel-binding
- [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD revi… Sam Hartman
- [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD revi… Simon Josefsson
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Jeffrey Hutzelman
- [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD revi… Nicolas Williams
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Nicolas Williams
- [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD revi… Simon Josefsson
- [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD revi… Sam Hartman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Nicolas Williams
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Jeffrey Hutzelman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Sam Hartman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Jeffrey Hutzelman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Sam Hartman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Nicolas Williams
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Sam Hartman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Jeffrey Hutzelman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Jeffrey Hutzelman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Nicolas Williams
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Nicolas Williams
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Jeffrey Hutzelman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Nicolas Williams
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Sam Hartman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Sam Hartman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Nicolas Williams
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Simon Josefsson
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Simon Josefsson
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Jeffrey Hutzelman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Nicolas Williams
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Sam Hartman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Nicolas Williams
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Jeffrey Hutzelman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Nicolas Williams
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Jeffrey Hutzelman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Simon Josefsson
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Sam Hartman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Nicolas Williams
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Alexey Melnikov
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Simon Josefsson
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Sam Hartman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Jeffrey Hutzelman