IETF Logo Mail Archive

Re: [CHANNEL-BINDING] TLS endpoint channel bindings in SCRAM

Nicolas Williams <Nicolas.Williams@sun.com> Fri, 03 April 2009 15:41 UTC

Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: channel-binding@core3.amsl.com
Delivered-To: channel-binding@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 815DC3A6D54 for <channel-binding@core3.amsl.com>; Fri, 3 Apr 2009 08:41:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.799
X-Spam-Level:
X-Spam-Status: No, score=-4.799 tagged_above=-999 required=5 tests=[AWL=-0.765, BAYES_00=-2.599, FAKE_REPLY_C=2.012, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eCQ4y8sk3lye for <channel-binding@core3.amsl.com>; Fri, 3 Apr 2009 08:41:44 -0700 (PDT)
Received: from sca-ea-mail-3.sun.com (sca-ea-mail-3.Sun.COM [192.18.43.21]) by core3.amsl.com (Postfix) with ESMTP id 5898D3A67FB for <channel-binding@ietf.org>; Fri, 3 Apr 2009 08:41:23 -0700 (PDT)
Received: from dm-central-01.central.sun.com ([129.147.62.4]) by sca-ea-mail-3.sun.com (8.13.6+Sun/8.12.9) with ESMTP id n33FgQvb001757 for <channel-binding@ietf.org>; Fri, 3 Apr 2009 15:42:26 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-01.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id n33FgPg7027407 for <channel-binding@ietf.org>; Fri, 3 Apr 2009 09:42:25 -0600 (MDT)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id n33FPao5002676; Fri, 3 Apr 2009 10:25:36 -0500 (CDT)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id n33FPaLG002675; Fri, 3 Apr 2009 10:25:36 -0500 (CDT)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Fri, 03 Apr 2009 10:25:36 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Dave Cridland <dave@cridland.net>
Message-ID: <20090403152535.GY1500@Sun.COM>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.7i
Cc: Mark Novak <Mark.Novak@microsoft.com>, channel-binding@ietf.org, Stefan Santesson <stefans@microsoft.com>, Larry Zhu <lzhu@windows.microsoft.com>, ietf-sasl@imc.org, Paul Leach <paulle@windows.microsoft.com>, Kevin Damour <kdamour@microsoft.com>, Jeffrey Altman <jaltman@secure-endpoints.com>, Sam Hartman <hartmans-ietf@mit.edu>
Subject: Re: [CHANNEL-BINDING] TLS endpoint channel bindings in SCRAM
X-BeenThere: channel-binding@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of channel binding IANA registry requests and specifications <channel-binding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/channel-binding>, <mailto:channel-binding-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/channel-binding>
List-Post: <mailto:channel-binding@ietf.org>
List-Help: <mailto:channel-binding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/channel-binding>, <mailto:channel-binding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2009 15:41:45 -0000

Dave Cridland wrote:
> > - By hard-coding a hash function we'd lose hash agility.  Hash  
> >agility is one of the features of the registered tls-server-end-point
> >channel binding type.  OTOH, as you note, for SCRAM this is solved by
> >the existing SCRAM hash agility approach (add a new mech).
> >
> Yes - it's not ideal, but I'm hoping that by the time hash agility  
> becomes an issue, then we'll have support for the more generic form  
> of the channel binding.

The lack of negotiability of which channel binding type to use makes
this not a good answer (but see below).

> > - We can't really negotiate which type of channel binding to use.   
> >It's relatively easy to choose between unique and server-end-point,
> >but to choose between two types of server-end-point bindings is much
> >harder (unless it's a choice made at specification time, in this case
> >for SASL/SCRAM).
> >
> But clients must stipulate which they have used.

That doesn't mean it's negotiable.  GSS-API semantics do not allow the
acceptor to find out what channel binding type the client used.

We could put the channel binding type in the GS2 header -- that would
solve that problem.  But still, the server now has to support multiple
channel binding types and now we need a way to advertise that to the
client -- otherwise the client and server could disagree and fail to
authenticate.

> >   Neither modifying tls-server-end-point nor introducing a  
> >different variant of it seem particularly appealing.  The former may
> >well  be out of the barn's doors, which would leave us only with the
> >latter choice (or fix the TLS frameworks :)
> 
> I think tls-server-end-point is a fine binding.
> 
> My problem is that it'll be years before it's available on many  
> platforms, and I think we can provide more immediately implementable  
> security than that.

Pasi's comment indicates that your premise for this thread is wrong.  I
don't know though.  Can you comment on Pasi's comments?  Are there any
commonly used TLS implementations that encode the server cert
differently on the wire than in their APIs for getting at the server
cert?  I seriously doubt that on the _client_ side, but also, I doubt it
on the server side.  Why would anyone want to write code to re-encode
certs on the fly when that can be done once at configuration time, or
never at all if the CA just does the right thing and issues a DER
certificate.

Also, even if there were implementations that re-encode non-DER certs
into DER for that API, surely, surely one could re-encode the cert at
configuration time so that it's in DER to begin with as far as the TLS
implementation goes -- then there's no need to re-encode as re-encoding
would be the identity function.

Nico
--

v2.23.0 | Report a Bug | By Email