Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD review comments
Jeffrey Hutzelman <jhutz@cmu.edu> Thu, 11 October 2007 17:28 UTC
Return-path: <channel-binding-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com)
by megatron.ietf.org with esmtp (Exim 4.43)
id 1Ig1ps-0002F5-3i; Thu, 11 Oct 2007 13:28:36 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org)
by megatron.ietf.org with esmtp (Exim 4.43) id 1Ig1pq-0002DD-U0
for channel-binding@ietf.org; Thu, 11 Oct 2007 13:28:34 -0400
Received: from minbar.fac.cs.cmu.edu ([128.2.185.161])
by chiedprmail1.ietf.org with smtp (Exim 4.43) id 1Ig1pq-0007In-ET
for channel-binding@ietf.org; Thu, 11 Oct 2007 13:28:34 -0400
Received: from minbar.fac.cs.cmu.edu ([127.0.0.1]) by minbar.fac.cs.cmu.edu
id aa10879; 11 Oct 2007 13:28 EDT
Date: Thu, 11 Oct 2007 13:28:07 -0400 (EDT)
From: Jeffrey Hutzelman <jhutz@cmu.edu>
X-X-Sender: <jhutz@minbar.fac.cs.cmu.edu>
To: Nicolas Williams <Nicolas.Williams@sun.com>
Subject: Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD review comments
In-Reply-To: <20071011171012.GP24532@Sun.COM>
Message-ID: <Pine.LNX.4.33L.0710111317040.8820-100000@minbar.fac.cs.cmu.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 52f7a77164458f8c7b36b66787c853da
Cc: ietf-sasl@imc.org, channel-binding@ietf.org,
Sam Hartman <hartmans-ietf@mit.edu>
X-BeenThere: channel-binding@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussion of channel binding IANA registry requests and
specifications <channel-binding.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/channel-binding>,
<mailto:channel-binding-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/channel-binding>
List-Post: <mailto:channel-binding@ietf.org>
List-Help: <mailto:channel-binding-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/channel-binding>,
<mailto:channel-binding-request@ietf.org?subject=subscribe>
Errors-To: channel-binding-bounces@ietf.org
On Thu, 11 Oct 2007, Nicolas Williams wrote:
> > However we could be neutral on whether applications need one slot or
> > two. If so, we need to at least say that we're neutral on this. I
> > think we need to at least define a separator to use when you only have
> > one slot.
>
> That's my position. However, if the consensus is that we should take a
> less neutral position on this then I would propose this text:
I'm fine with taking a neutral position, just not an unclear one. The
problem I see today is that an application protocol designer may assume
that the channel bindign data is self-identifying; that is, that the
base channel binding document describes a single octet string containing
the prefix. But the present document does _not_ describe a single octet
string; it describes a prefix and an octet string separately, and does not
specify how to combine them, except by calling the one a "prefix", which
is just vague enough to convince the casual reader that it's obvious what
to do. After all, we didn't notice the problem until Simon tried to
define an application, and he's probably more aware of the issue than
most.
So, I think we need to do one of three things:
(1) Require that the prefix and data always be combined in a particular
way, resulting in a single octet string for the application to work
with(*).
(2) Specify a particular way of combining the prefix and data, for use
when the application wants or needs to work with a single octet
string. Indicate that it is up to the application whether to use
this method or treat the prefix and data separately.
(3) Clearly indicate that the prefix and data are separate, and that
it is up to the application whether to handle them separately or
together.
Especially in case (3), I think a lot of the ambiguity can be removed by
not using the word "prefix", which implies a particular approach to
combining what are really two separate protocol elements. This usage
seems to be an artifact of how channel bindings are expected to be
transported in GSS-API and not really something that belongs in a generic
document.
> o In the interests of simplicity it is RECOMMENDED that
> authentication framework/mechanism APIs provide a single slot for
> channel binding data, and none for the name of channel binding
> type.
>
> If we want to stay neutral on this issue we can always add this text:
>
> o Authentication framework/mechanism APIs MAY provide a slot for name
> of channel binding type that is distinct from a slot for channel
> binding data. In that case applications MUST NOT prefix the name
> of the channel binding type to the channel binding data and MUST
> instead provide the name of the channel binding type as an input in
> the correct slot.
This sort of assumes that the "obvious" thing to do is prfix the name to
the data, rather than treating them separately. That sssumption seems
flawed to me, and the source of much confusion.
-- Jeff
_______________________________________________
CHANNEL-BINDING mailing list
CHANNEL-BINDING@ietf.org
https://www1.ietf.org/mailman/listinfo/channel-binding
- [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD revi… Sam Hartman
- [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD revi… Simon Josefsson
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Jeffrey Hutzelman
- [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD revi… Nicolas Williams
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Nicolas Williams
- [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD revi… Simon Josefsson
- [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD revi… Sam Hartman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Nicolas Williams
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Jeffrey Hutzelman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Sam Hartman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Jeffrey Hutzelman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Sam Hartman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Nicolas Williams
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Sam Hartman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Jeffrey Hutzelman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Jeffrey Hutzelman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Nicolas Williams
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Nicolas Williams
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Jeffrey Hutzelman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Nicolas Williams
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Sam Hartman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Sam Hartman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Nicolas Williams
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Simon Josefsson
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Simon Josefsson
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Jeffrey Hutzelman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Nicolas Williams
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Sam Hartman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Nicolas Williams
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Jeffrey Hutzelman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Nicolas Williams
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Jeffrey Hutzelman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Simon Josefsson
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Sam Hartman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Nicolas Williams
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Alexey Melnikov
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Simon Josefsson
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Sam Hartman
- Re: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD … Jeffrey Hutzelman