IETF Logo Mail Archive

Re: [CHANNEL-BINDING] TLS endpoint channel bindings in SCRAM

Dave Cridland <dave@cridland.net> Thu, 02 April 2009 11:31 UTC

Return-Path: <dave@cridland.net>
X-Original-To: channel-binding@core3.amsl.com
Delivered-To: channel-binding@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 568CE3A694F for <channel-binding@core3.amsl.com>; Thu, 2 Apr 2009 04:31:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.592
X-Spam-Level:
X-Spam-Status: No, score=-2.592 tagged_above=-999 required=5 tests=[AWL=0.007, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qg13w++kLMf2 for <channel-binding@core3.amsl.com>; Thu, 2 Apr 2009 04:31:28 -0700 (PDT)
Received: from peirce.dave.cridland.net (peirce.dave.cridland.net [217.155.137.61]) by core3.amsl.com (Postfix) with ESMTP id EBC693A6876 for <channel-binding@ietf.org>; Thu, 2 Apr 2009 04:31:27 -0700 (PDT)
Received: from puncture (turner.dave.cridland.net [217.155.137.60]) by peirce.dave.cridland.net (submission) via TCP with ESMTPA id <SdSiRgBD2nRY@peirce.dave.cridland.net>; Thu, 2 Apr 2009 12:32:23 +0100
References: <5690.1237934257.266964@peirce.dave.cridland.net> <20090401225220.GA1500@Sun.COM>
In-Reply-To: <20090401225220.GA1500@Sun.COM>
MIME-Version: 1.0
Message-Id: <4871.1238671941.558047@puncture>
Date: Thu, 02 Apr 2009 12:32:21 +0100
From: Dave Cridland <dave@cridland.net>
To: Nicolas Williams <Nicolas.Williams@sun.com>
Content-Type: text/plain; delsp="yes"; charset="us-ascii"; format="flowed"
X-Mailman-Approved-At: Thu, 02 Apr 2009 04:47:13 -0700
Cc: Mark Novak <Mark.Novak@microsoft.com>, channel-binding@ietf.org, Stefan Santesson <stefans@microsoft.com>, Larry Zhu <lzhu@windows.microsoft.com>, ietf-sasl@imc.org, Paul Leach <paulle@windows.microsoft.com>, Kevin Damour <kdamour@microsoft.com>, Jeffrey Altman <jaltman@secure-endpoints.com>, Sam Hartman <hartmans-ietf@mit.edu>
Subject: Re: [CHANNEL-BINDING] TLS endpoint channel bindings in SCRAM
X-BeenThere: channel-binding@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of channel binding IANA registry requests and specifications <channel-binding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/channel-binding>, <mailto:channel-binding-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/channel-binding>
List-Post: <mailto:channel-binding@ietf.org>
List-Help: <mailto:channel-binding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/channel-binding>, <mailto:channel-binding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Apr 2009 11:31:29 -0000

On Wed Apr  1 23:52:20 2009, Nicolas Williams wrote:
> 1) Do many/most/all TLS implementations output the DER-encoded form  
> of
>    the server cert?  Which ones do/don't?
> 
> 
Somewhere between many and most. I suspect all the low-level TLS  
stacks (OpenSSL etc) will do. It's the bindings and suchlike I'm more  
concerned with.

In the bindings, however, it's pretty trivial to find a function  
which either hands back the DER form, or else hands back PEM (base64  
of DER), which developers can also use.


> 2) Is the cert used on the wire generally NOT DER-encoded?  If so,  
> how
>    hard would it be to change this?  (e.g., re-encode the cert and
>    restart apps?)
> 
> 
I have absolutely no idea. If I could rely on the cert being DER on  
the wire, we could reduce this to implementation notes, aside from  
the hash issue. I have no idea how to extract that hash algorithm,  
currently, but I could probably figure that out eventually.

If it turns out that tls-server-endpoint *can* be readily implemented  
at least for the common case of X.509 certificates, then I'd be very  
much happier with this outcome.

>  - By hard-coding a hash function we'd lose hash agility.  Hash  
> agility
>    is one of the features of the registered tls-server-end-point  
> channel
>    binding type.  OTOH, as you note, for SCRAM this is solved by the
>    existing SCRAM hash agility approach (add a new mech).
> 
> 
Yes - it's not ideal, but I'm hoping that by the time hash agility  
becomes an issue, then we'll have support for the more generic form  
of the channel binding.


>  - We can't really negotiate which type of channel binding to use.   
> It's
>    relatively easy to choose between unique and server-end-point,  
> but to
>    choose between two types of server-end-point bindings is much  
> harder
>    (unless it's a choice made at specification time, in this case  
> for
>    SASL/SCRAM).
> 
> 
But clients must stipulate which they have used.


>    Neither modifying tls-server-end-point nor introducing a  
> different
>    variant of it seem particularly appealing.  The former may well  
> be
>    out of the barn's doors, which would leave us only with the  
> latter
>    choice (or fix the TLS frameworks :)

I think tls-server-end-point is a fine binding.

My problem is that it'll be years before it's available on many  
platforms, and I think we can provide more immediately implementable  
security than that.

Dave.
-- 
Dave Cridland - mailto:dave@cridland.net - xmpp:dwd@dave.cridland.net
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade

v2.23.0 | Report a Bug | By Email