Re: [CHANNEL-BINDING] New channel binding type similar to "tls-server-end-point"
Alexey Melnikov <alexey.melnikov@isode.com> Mon, 13 February 2023 15:13 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: channel-binding@ietfa.amsl.com
Delivered-To: channel-binding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02A69C152561 for <channel-binding@ietfa.amsl.com>; Mon, 13 Feb 2023 07:13:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sL3chuMKY4mT for <channel-binding@ietfa.amsl.com>; Mon, 13 Feb 2023 07:13:46 -0800 (PST)
Received: from waldorf.isode.com (waldorf.isode.com [62.232.206.188]) by ietfa.amsl.com (Postfix) with ESMTP id A7340C1516E3 for <channel-binding@ietf.org>; Mon, 13 Feb 2023 07:13:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1676301225; d=isode.com; s=june2016; i=@isode.com; bh=h79wKnB1KrmD4GEVSGec+o+yJnqS02MNPiE878sXjaA=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=jDOu/iCwSsV+BwMKyp8uLjYD7O6N//0o0TvGSABJLkmMdbnRH9Uy+h+kJrrpLtW6l7NW+K GbfBR9tN8xfj+tYzidxwd+7kpk0mFEluPZGsVKEUGo64zjc7PIZSAGwa5L1N2pqZiLYe+u QiLNiOTTYEHedc1vjMp5AIjV118arDg=;
Received: from [192.168.1.222] (host31-49-219-77.range31-49.btcentralplus.com [31.49.219.77]) by waldorf.isode.com (submission channel) via TCP with ESMTPSA id <Y-pTqABqmYgV@waldorf.isode.com>; Mon, 13 Feb 2023 15:13:45 +0000
Message-ID: <044e63a0-87e2-3825-e292-978baa178ac2@isode.com>
Date: Mon, 13 Feb 2023 15:13:44 +0000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.6.1
To: Heikki Linnakangas <hlinnaka@iki.fi>, channel-binding@ietf.org
References: <138fe21f-07eb-0588-eb5e-5e974d3c633d@iki.fi>
From: Alexey Melnikov <alexey.melnikov@isode.com>
In-Reply-To: <138fe21f-07eb-0588-eb5e-5e974d3c633d@iki.fi>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/channel-binding/ujYRTFXIrBYHMA8VIz1ulfR5xUg>
Subject: Re: [CHANNEL-BINDING] New channel binding type similar to "tls-server-end-point"
X-BeenThere: channel-binding@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of channel binding IANA registry requests and specifications <channel-binding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/channel-binding>, <mailto:channel-binding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/channel-binding/>
List-Post: <mailto:channel-binding@ietf.org>
List-Help: <mailto:channel-binding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/channel-binding>, <mailto:channel-binding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2023 15:13:51 -0000
Hi Heikki, On 10/02/2023 15:01, Heikki Linnakangas wrote: > Currently, "tls-server-end-point" channel binding type is undefined if > the server certificate's signatureAlgorithm field does not > unambiguously specify a hash function. See [RFC5929], section 4.1. > > I propose a new channel binding type, > "tls-server-end-point-auth-hash". It is the same as > "tls-server-end-point", but instead of deriving the hash function from > the certificate's signatureAlgorithm, it uses the same hash function > that is used by the authentication method. So when it is used with > SCRAM-SHA-256, for example, SHA-256 is used. > > If I'm reading correctly between the lines in RFC5929, the reason that > "tls-server-end-point" was defined to use the hash algorithm in the > signatureAlgorithm was to provide hash agility. However, when used > with an authentication mechanism like SCRAM-SHA-256, that agility > seems pointless; the security relies on SHA-256 anyway. This proposed > variant has the advantage that it can be used with all TLS > certificates, regardless of the signatureAlgorithm, and you don't need > any extra hash functions other than the one that's used by the > authentication mechanism anyway. > > I'm not familiar with the IETF processes. What do I need to do to get > that registered? The IANA registry <https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml> states that the registration procedure is Expert Review. So basically you can email IANA iana@iana.org (or use the web form https://www.iana.org/protocols/apply) to request a registration. Best Regards, Alexey > > > Background: > > PostgreSQL supports the SCRAM-SHA-256-PLUS authentication with > "tls-server-end-point" channel binding. However, because it is > undefined for some certificates, channel binding cannot be used with > ED448 and ED25519 certificates, for example. We would like to support > channel binding with all server certificates. > > A user ran into this with an rsassaPss certificate, and for that we > could perhaps derive the hash algorithm by looking into the > rsaSsaParams field of the certificate, in addition to > signatureAlgorithm. But that seems like over-interpreting RFC5929, and > doesn't solve the general case anyway. See discussion on the > PostgreSQL mailing list: > https://www.postgresql.org/message-id/687f8e73-e511-6994-c2e2-3cc55633fab6%40iki.fi > > PS. The reason that PostgreSQL implements "tls-server-end-point" and > not "tls-unique", even though RFC 5802 clearly says that a server MUST > support "tls-unique" if any channel binding type is supported, is that > when it was implemented, the future of "tls-unique" was unclear. There > were security concerns with it and TLS renegotiation, and it was > undefined for TLSv1.3. Also, not all TLS implementations provided an > interface to export the material needed for "tls-unique". There has > been discussion on implementing the new "tls-exporter" binding with > TLSv1.3, but even if we add support for that, we will likely still > continue to support "tls-server-end-point" for a long time. > > - Heikki > > _______________________________________________ > CHANNEL-BINDING mailing list > CHANNEL-BINDING@ietf.org > https://www.ietf.org/mailman/listinfo/channel-binding
- [CHANNEL-BINDING] New channel binding type simila… Heikki Linnakangas
- Re: [CHANNEL-BINDING] New channel binding type si… Alexey Melnikov