Re: [kitten] SASL, how to choose the type of channel binding?
Simon Josefsson <simon@josefsson.org> Tue, 21 April 2020 21:33 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C0283A0A84 for <kitten@ietfa.amsl.com>; Tue, 21 Apr 2020 14:33:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=josefsson.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lIf9exFCA-qD for <kitten@ietfa.amsl.com>; Tue, 21 Apr 2020 14:33:17 -0700 (PDT)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b1:8633::105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFE2D3A0AB7 for <kitten@ietf.org>; Tue, 21 Apr 2020 14:33:16 -0700 (PDT)
Received: from latte (31-208-42-58.cust.bredband2.com [31.208.42.58]) (authenticated bits=0) by duva.sjd.se (8.15.2/8.15.2/Debian-8) with ESMTPSA id 03LLX0ww023952 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 21 Apr 2020 21:33:01 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=josefsson.org; s=default; t=1587504784; bh=2BZVtNAexVL88Fk9xb8PkOszJQOEraK8prBFBt8xTNs=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=Gb/PLsnIN3xdo7gAF/LakNfOalsHvRhTdKVGwkwAO9q2kDAcG+C/lR/Fs3eFJ218F 7mSfBFvXvhuJlc9PeAXMoe+17e+2NoHZIqfwoIgxop7Ev8ll+WTnybW0pBcegQyGCW bfSPhyyLTu29tJ9cG9lW1i6vcj7S5CaohaXlEFNYHC4orrB5ZIZNTAyZfeTkceAjsI 6h6o2qB9O2vu38zRvj6rRF6kxI1JStsMn3boXW4hU7dhbFOVYMDZhguQp2QU0/kq3y 6x555MYo1YZ/E1hE2RhAs+v/Ibg4IdAP+aucJsWRRqj3M6mO9kdIPXqaAd9CYvJB3x qhqrYFw2IH9Tw==
From: Simon Josefsson <simon@josefsson.org>
To: Rick van Rein <rick@openfortress.nl>
Cc: "kitten@ietf.org" <kitten@ietf.org>
References: <5E8F1ED9.1020108@openfortress.nl>
OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt
X-Hashcash: 1:22:200421:rick@openfortress.nl::q8vdhlbfvCNiC5e5:980z
X-Hashcash: 1:22:200421:kitten@ietf.org::+njj1wvlI6GHKKyn:Ta14
Date: Tue, 21 Apr 2020 23:33:00 +0200
In-Reply-To: <5E8F1ED9.1020108@openfortress.nl> (Rick van Rein's message of "Thu, 09 Apr 2020 15:10:49 +0200")
Message-ID: <87zhb4jzhv.fsf@latte.josefsson.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.102.2 at duva.sjd.se
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/7WeM7zBryhdDpYCOwpJdaq94KJk>
Subject: Re: [kitten] SASL, how to choose the type of channel binding?
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Apr 2020 21:33:22 -0000
Rick van Rein <rick@openfortress.nl> writes: > Hello, > > I can see that the GS2 negotiates *whether* to use channel binding, but > how can a client and server agree on *which* form to use? Practically it is hard-coded to 'tls-unique' that, alas, has security issues. See RFC 7627. GS2 does not provide any facility to (reliably) negotiate which channel binding type to use, that negotiation has to come from the SASL application protocol or out-of-band. See section 5.2 of the document. I don't recall any SASL application protocols that provide this feature -- does anyone know of any example? I believe this is one of the serious problems with GS2, that some day could warrant an update of it. The problem can be resolved in the same way as RFC 7677 did for SCRAM's use of insecure tls-unique. Another solution is to hard code a channel binding that has better secure properties -- perhaps a revised version of https://tools.ietf.org/html/draft-josefsson-sasl-tls-cb-03 /Simon 5.2. Default Channel Binding A default channel binding type agreement process for all SASL application protocols that do not provide their own channel binding type agreement is provided as follows. 'tls-unique' is the default channel binding type for any application that doesn't specify one. Servers MUST implement the "tls-unique" [RFC5929] channel binding type, if they implement any channel binding. Clients SHOULD implement the "tls-unique" channel binding type, if they implement any channel binding. Clients and servers SHOULD choose the highest- layer/innermost end-to-end TLS channel as the channel to which to bind. Servers MUST choose the channel binding type indicated by the client, or fail authentication if they don't support it.
- [kitten] SASL, how to choose the type of channel … Rick van Rein
- Re: [kitten] SASL, how to choose the type of chan… Rick van Rein
- Re: [kitten] SASL, how to choose the type of chan… Luke Howard
- Re: [kitten] SASL, how to choose the type of chan… Simon Josefsson
- Re: [kitten] SASL, how to choose the type of chan… Dave Cridland
- Re: [kitten] SASL, how to choose the type of chan… Rick van Rein
- Re: [kitten] SASL, how to choose the type of chan… Simon Josefsson
- Re: [kitten] SASL, how to choose the type of chan… Dave Cridland