Re: [CHANNEL-BINDING] TLS endpoint channel bindings in SCRAM
<Pasi.Eronen@nokia.com> Fri, 03 April 2009 12:33 UTC
Return-Path: <Pasi.Eronen@nokia.com>
X-Original-To: channel-binding@core3.amsl.com
Delivered-To: channel-binding@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id E3F0D28C27D for <channel-binding@core3.amsl.com>;
Fri, 3 Apr 2009 05:33:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.459
X-Spam-Level:
X-Spam-Status: No, score=-6.459 tagged_above=-999 required=5 tests=[AWL=0.140,
BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3mnlifiAo+ws for
<channel-binding@core3.amsl.com>; Fri, 3 Apr 2009 05:33:27 -0700 (PDT)
Received: from mgw-mx03.nokia.com (smtp.nokia.com [192.100.122.230]) by
core3.amsl.com (Postfix) with ESMTP id 57D3A28C272 for
<channel-binding@ietf.org>; Fri, 3 Apr 2009 05:33:00 -0700 (PDT)
Received: from esebh105.NOE.Nokia.com (esebh105.ntc.nokia.com
[172.21.138.211]) by mgw-mx03.nokia.com (Switch-3.2.6/Switch-3.2.6) with
ESMTP id n33CXfLq013384; Fri, 3 Apr 2009 15:33:56 +0300
Received: from vaebh102.NOE.Nokia.com ([10.160.244.23]) by
esebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 3 Apr 2009 15:33:55 +0300
Received: from smtp.mgd.nokia.com ([65.54.30.6]) by vaebh102.NOE.Nokia.com
over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 3 Apr 2009 15:33:48 +0300
Received: from nok-am1mhub-08.mgdnok.nokia.com (65.54.30.15) by
NOK-am1MHUB-02.mgdnok.nokia.com (65.54.30.6) with Microsoft SMTP Server (TLS)
id 8.1.340.0; Fri, 3 Apr 2009 14:33:47 +0200
Received: from NOK-EUMSG-01.mgdnok.nokia.com ([65.54.30.86]) by
nok-am1mhub-08.mgdnok.nokia.com ([65.54.30.15]) with mapi;
Fri, 3 Apr 2009 14:33:47 +0200
From: <Pasi.Eronen@nokia.com>
To: <Nicolas.Williams@sun.com>, <dave@cridland.net>
Date: Fri, 3 Apr 2009 14:33:47 +0200
Thread-Topic: TLS endpoint channel bindings in SCRAM
Thread-Index: AcmzIVyLFrIwMFOjQXm6luyyF7ZehABNXNrQ
Message-ID: <808FD6E27AD4884E94820BC333B2DB7727F21CDF28@NOK-EUMSG-01.mgdnok.nokia.com>
References: <5690.1237934257.266964@peirce.dave.cridland.net>
<20090401225220.GA1500@Sun.COM>
In-Reply-To: <20090401225220.GA1500@Sun.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 03 Apr 2009 12:33:48.0305 (UTC)
FILETIME=[6FD3E810:01C9B458]
X-Nokia-AV: Clean
X-Mailman-Approved-At: Fri, 03 Apr 2009 08:02:32 -0700
Cc: Mark.Novak@microsoft.com, channel-binding@ietf.org, stefans@microsoft.com,
lzhu@windows.microsoft.com, ietf-sasl@imc.org, paulle@windows.microsoft.com,
kdamour@microsoft.com, jaltman@secure-endpoints.com, hartmans-ietf@mit.edu
Subject: Re: [CHANNEL-BINDING] TLS endpoint channel bindings in SCRAM
X-BeenThere: channel-binding@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of channel binding IANA registry requests and
specifications <channel-binding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/channel-binding>,
<mailto:channel-binding-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/channel-binding>
List-Post: <mailto:channel-binding@ietf.org>
List-Help: <mailto:channel-binding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/channel-binding>,
<mailto:channel-binding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2009 12:33:28 -0000
Nicolas Williams wrote: > Questions: > > 1) Do many/most/all TLS implementations output the DER-encoded form of > the server cert? Which ones do/don't? > > 2) Is the cert used on the wire generally NOT DER-encoded? If so, how > hard would it be to change this? (e.g., re-encode the cert and > restart apps?) Although the TLS spec doesn't explicitly say this, the on-the-wire certificate is DER encoded. There's no field specifying what the encoding is, so if you attempt sending PER or XER, it simply won't work. Some implementations might accept some limited subset of BER (to work around CA bugs), but even in those cases, nobody's going to re-encode it to DER (most likely the CA calculated the signature over BER encoded version -- violating all possible standards -- and the API would return the octets sent on the wire). So I don't see any problem in using the tls-server-end-point channel binding... (and it seems it would work for OpenPGP, too) Best regards, Pasi
- Re: [CHANNEL-BINDING] TLS endpoint channel bindin… Nicolas Williams
- Re: [CHANNEL-BINDING] TLS endpoint channel bindin… Simon Josefsson
- Re: [CHANNEL-BINDING] TLS endpoint channel bindin… Dave Cridland
- Re: [CHANNEL-BINDING] TLS endpoint channel bindin… Pasi.Eronen
- Re: [CHANNEL-BINDING] TLS endpoint channel bindin… Nicolas Williams
- Re: [CHANNEL-BINDING] TLS endpoint channel bindin… Nicolas Williams
- Re: [CHANNEL-BINDING] TLS endpoint channel bindin… Dave Cridland
- Re: [CHANNEL-BINDING] TLS endpoint channel bindin… Nicolas Williams