IETF Logo Mail Archive

[CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD review comments

Simon Josefsson <simon@josefsson.org> Tue, 09 October 2007 20:23 UTC

Return-path: <channel-binding-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IfLcV-0003mt-NF; Tue, 09 Oct 2007 16:23:59 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IfLcU-0003lQ-SN for channel-binding@ietf.org; Tue, 09 Oct 2007 16:23:58 -0400
Received: from yxa.extundo.com ([83.241.177.38]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IfLcU-0005ef-7f for channel-binding@ietf.org; Tue, 09 Oct 2007 16:23:58 -0400
Received: from mocca.josefsson.org (yxa.extundo.com [83.241.177.38]) (authenticated bits=0) by yxa.extundo.com (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id l99KNols004071 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 9 Oct 2007 22:23:51 +0200
From: Simon Josefsson <simon@josefsson.org>
To: Sam Hartman <hartmans-ietf@mit.edu>
References: <tslbqcf8eou.fsf@mit.edu> <871wc46umk.fsf@mocca.josefsson.org> <tsl4ph0vz30.fsf@mit.edu>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:071009:nicolas.williams@sun.com::WGeInLxRCkIewTqY:2A1s
X-Hashcash: 1:22:071009:ietf-sasl@imc.org::VJf1XVkxh3XKRIzR:7r1s
X-Hashcash: 1:22:071009:channel-binding@ietf.org::MqUJA0MWfluTPRX/:IDJG
X-Hashcash: 1:22:071009:hartmans-ietf@mit.edu::FiAABoknHHVS1qQ0:Pjbc
Date: Tue, 09 Oct 2007 22:23:50 +0200
In-Reply-To: <tsl4ph0vz30.fsf@mit.edu> (Sam Hartman's message of "Tue, 09 Oct 2007 15:59:31 -0400")
Message-ID: <873awk3ull.fsf@mocca.josefsson.org>
User-Agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Spam-Status: No, score=-0.0 required=4.0 tests=SPF_PASS autolearn=disabled version=3.1.1
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on yxa-iv
X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on yxa.extundo.com
X-Virus-Status: Clean
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 3e15cc4fdc61d7bce84032741d11c8e5
Cc: channel-binding@ietf.org, ietf-sasl@imc.org
Subject: [CHANNEL-BINDING] Re: draft-ietf-sasl-gs2 AD review comments
X-BeenThere: channel-binding@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussion of channel binding IANA registry requests and specifications <channel-binding.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/channel-binding>, <mailto:channel-binding-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/channel-binding>
List-Post: <mailto:channel-binding@ietf.org>
List-Help: <mailto:channel-binding-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/channel-binding>, <mailto:channel-binding-request@ietf.org?subject=subscribe>
Errors-To: channel-binding-bounces@ietf.org

Sam Hartman <hartmans-ietf@mit.edu> writes:

>>>>>> "Simon" == Simon Josefsson <simon@josefsson.org> writes:
>
>     Simon> Sam Hartman <hartmans-ietf@mit.edu> writes:
>     >> The draft looks quite good, but there are a few things that
>     >> need to be resolved before I can last call it.
>
>     Simon> Thanks for your review!
>
> Your proposed fixes look good except for the following:
>     >> It also appears to violate the requirement that the name of the
>     >> channel type be used in the channel binding data.
>
>     Simon> I believe you are referring to this requirement:
>
>     Simon>       * The name of the type of channel binding MUST be
>     Simon> used by the application and/or authentication protocol to
>     Simon> avoid ambiguity about which of several possible types of
>     Simon> channels is being bound.  If nested instances of the same
>     Simon> type of channel are available then the innermost channel
>     Simon> MUST be used.
>
>     Simon> I thought that channel binding data had to contain a unique
>     Simon> prefix which would appears to solve that problem, without
>     Simon> having to require that protocols encode the channel binding
>     Simon> type too.  If my assumption is correct, it would be useful
>     Simon> to clarify this in d-w-on-channel-binding.  No change in
>     Simon> GS2 seems necessary.  Nico?
>
> I thought it was the responsibility of the application|framework to
> add the unique prefix.  The channel binding base draft provides a
> registry for this prefix, but I thought that the channel binding
> description did not include this prefix and left it up to the
> application.  If the channel binding format must include the prefix
> then I think we need to change the channel binding base draft.
>
> Comments?

It appears simpler to me if channel binding data would always contain
the unique prefix, properly delimited.

Otherwise each protocol using channel binding need to have one slot for
the "name of the type of channel binding" and one for the channel
binding data.  That is difficult to do properly if there are no guidance
on the properties of these fields in williams-on-channel-binding.  It is
not clear to me what "name of the type of channel binding" refers to.
Is it the unique prefix?  Or the binding type?  Or the channel type?
All three fields are present in the channel binding IANA section.

For example, would concatenating the unique prefix with channel binding
data be sufficient?  How can unique prefixes look like, [a-zA-Z0-9]?  I
couldn't find anything in williams-on-channel-binding that discuss this.

/Simon

_______________________________________________
CHANNEL-BINDING mailing list
CHANNEL-BINDING@ietf.org
https://www1.ietf.org/mailman/listinfo/channel-binding

v2.23.0 | Report a Bug | By Email