IETF Logo Mail Archive

Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD review comments

Simon Josefsson <simon@josefsson.org> Wed, 10 October 2007 16:59 UTC

Return-path: <channel-binding-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ifetm-0001fE-Bs; Wed, 10 Oct 2007 12:59:06 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ifetk-0001ei-VX for channel-binding@ietf.org; Wed, 10 Oct 2007 12:59:05 -0400
Received: from yxa.extundo.com ([83.241.177.38]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1Ifetj-0002oV-T7 for channel-binding@ietf.org; Wed, 10 Oct 2007 12:59:04 -0400
Received: from mocca.josefsson.org (yxa.extundo.com [83.241.177.38]) (authenticated bits=0) by yxa.extundo.com (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id l9AGwj3i018948 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 10 Oct 2007 18:58:48 +0200
From: Simon Josefsson <simon@josefsson.org>
To: Sam Hartman <hartmans-ietf@mit.edu>
Subject: Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD review comments
References: <tslbqcf8eou.fsf@mit.edu> <871wc46umk.fsf@mocca.josefsson.org> <tsl4ph0vz30.fsf@mit.edu> <20071009203406.GL24532@Sun.COM> <tslk5pwugzz.fsf@mit.edu> <20071009212516.GP24532@Sun.COM> <73A1D8BFF0B322B71283BF6B@sirius.fac.cs.cmu.edu> <20071010143650.GT24532@Sun.COM> <tslmyurnhmv.fsf@mit.edu> <20071010154115.GY24532@Sun.COM> <tsld4vnj78x.fsf@mit.edu>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:071010:jhutz@cmu.edu::vnokl4MnxsusWht9:0oOP
X-Hashcash: 1:22:071010:hartmans-ietf@mit.edu::RkCAJi4/qNs4KeOK:6rms
X-Hashcash: 1:22:071010:ietf-sasl@imc.org::5EiEJDCYb4RDn7UH:B8OB
X-Hashcash: 1:22:071010:channel-binding@ietf.org::xKLs1mylcJrcSxf2:WVf0
Date: Wed, 10 Oct 2007 18:58:45 +0200
In-Reply-To: <tsld4vnj78x.fsf@mit.edu> (Sam Hartman's message of "Wed, 10 Oct 2007 11:53:50 -0400")
Message-ID: <87d4vm3nzu.fsf@mocca.josefsson.org>
User-Agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Spam-Status: No, score=-0.0 required=4.0 tests=SPF_PASS autolearn=disabled version=3.1.1
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on yxa-iv
X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on yxa.extundo.com
X-Virus-Status: Clean
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 4adaf050708fb13be3316a9eee889caa
Cc: channel-binding@ietf.org, ietf-sasl@imc.org
X-BeenThere: channel-binding@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussion of channel binding IANA registry requests and specifications <channel-binding.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/channel-binding>, <mailto:channel-binding-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/channel-binding>
List-Post: <mailto:channel-binding@ietf.org>
List-Help: <mailto:channel-binding-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/channel-binding>, <mailto:channel-binding-request@ietf.org?subject=subscribe>
Errors-To: channel-binding-bounces@ietf.org

Sam Hartman <hartmans-ietf@mit.edu> writes:

>>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams@sun.com> writes:
>
>     Nicolas> On Wed, Oct 10, 2007 at 10:55:52AM -0400, Sam Hartman
>     Nicolas> wrote: I believe the text of the I-D is clear on the
>     Nicolas> above.  Thus your protocol issues are taken care of.
>     >>  Well, my reading of the ID is that the protocol needs two
>     >> slots--one for a prefix and one for a channel binding octec
>     >> string.  Simon is arguing that we only want to have one slot.
>     >> I'm fine with that if we want to make that change.
>
>     Nicolas> I don't agree.  The I-D is clear on channel bindings
>     Nicolas> being a single octet string.  The prefix is a US-ASCII
>     Nicolas> string prefixed to the raw channel binding octet string.
>     Nicolas> After the prefix is added you still have a single octet
>     Nicolas> string.
>
> O, I think Simon and I thought it was called a prefix because we
> expected it to be prefixed in a lot of protocols.  I don't read the
> current text that way at all.
>
> I think Simon, Jeff and I would be happy if the draft did actually say
> that.
> Simon, would you be willing to propose a change?

I'm confused by the on-channel-binding document and I'm not convinced
any minor change would have made the document clearer to me.

What I'm looking for is a recipe to reference on-channel-binding in an
authentication protocol like GS2.  GS2 wants to bind authentication to a
secure channel such as TLS.  That seems to be a fairly simple and common
way to use the on-channel-binding document (or?) so the length of this
discussion, and the lack of specific suggestions for GS2, suggest to me
that something is missing from the channel binding document.

What I'm looking for is something like this:

  X. Requirements On Frameworks That Use Channel Bindings

  Frameworks that wish to utilize a channel binding mechanism by
  referencing this document MUST transfer both the channel binding name
  (the unique prefix) and the channel binding data.  This MAY be done by
  concatenating the two strings.

/Simon

_______________________________________________
CHANNEL-BINDING mailing list
CHANNEL-BINDING@ietf.org
https://www1.ietf.org/mailman/listinfo/channel-binding

v2.23.0 | Report a Bug | By Email