Re: [kitten] Review of draft-ietf-kitten-channel-bound-flag
Robbie Harwood <rharwood@redhat.com> Fri, 15 February 2019 19:39 UTC
Return-Path: <rharwood@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C62A2130FC7 for <kitten@ietfa.amsl.com>; Fri, 15 Feb 2019 11:39:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZctWi8aoGI_h for <kitten@ietfa.amsl.com>; Fri, 15 Feb 2019 11:39:49 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B60F4130FC4 for <kitten@ietf.org>; Fri, 15 Feb 2019 11:39:49 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 1C3C61244E1; Fri, 15 Feb 2019 19:39:49 +0000 (UTC)
Received: from localhost (ovpn-112-52.rdu2.redhat.com [10.10.112.52]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9ACAD5C234; Fri, 15 Feb 2019 19:39:48 +0000 (UTC)
From: Robbie Harwood <rharwood@redhat.com>
To: Dave Cridland <dave@cridland.net>, kitten@ietf.org
In-Reply-To: <CAKHUCzyjxJW3NHXb_2o2FQ_Efe5p1kY4wBMCvqmZmFWgE-hJaQ@mail.gmail.com>
References: <CAKHUCzyjxJW3NHXb_2o2FQ_Efe5p1kY4wBMCvqmZmFWgE-hJaQ@mail.gmail.com>
Date: Fri, 15 Feb 2019 14:39:45 -0500
Message-ID: <jlg36oosuwu.fsf@redhat.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Fri, 15 Feb 2019 19:39:49 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/FT4DDwdFpMs2gqGtHRLl947kd1c>
Subject: Re: [kitten] Review of draft-ietf-kitten-channel-bound-flag
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Feb 2019 19:39:53 -0000
Dave Cridland <dave@cridland.net> writes: > Hi all, > > Robbie asked me to look over the aforementioned draft, and so I did, > and sent him the notes below. You'll be able to readily tell that I > don't know GSS-API from a bar of soap, but I hope they're useful > nonetheless. Thanks Dave! > a) General comment - I'm a native English speaker, and I find parsing > the double-negative "not when the initiator provides none" incredibly > hard. Is this necessary phrasing, or could this be changed to be a bit > more readable? > > For example, at the beginning of page 2: > > However, GSS-APIv2u1 [RFC2743 > <https://tools.ietf.org/html/rfc2743>] does not specify channel > binding > behavior when only one party provides provides none.In practice, > some mechanisms (such as Kerberos [RFC4121 > <https://tools.ietf.org/html/rfc4121>]) ignore channel bindings > when the acceptor provides none, but not when the initiator provides > none. Note that it would be useless to allow security context > establishment to succeed when the initiator does not provide channel > bindings but the acceptor does, at least as long as there's no > outward indication of whether channel binding was used! Since the > GSS-APIv2u1 does not provide any such indication, this document > corrects that flaw. > > > So, I understand from this: > * There is undefined behaviour when only one party supports channel > binding. I think. Note typo in the first sentence. Yes. Suggested first sentence language: However, GSS-APIv2u1 [RFC2743] does not specify channel binding behavior when only one party provides them. > * In practice, if an acceptor does not provide a channel binding, some > mechanisms ignore channel bindings entirely, such as Kerberos. Yes. In general it seems like the phrase "provides none" is confusing - is that right? How do you feel about replacing it with language more like "when only provided by one party"? > * Conversely, if the initiator does not provide channel bindings, but > the acceptor does, channel bindings are typically not ignored. I have > no idea what this means in practice - does authentication fail? I get > that impression from the later paragraphs. Yes - per section 3, the acceptor fails to establish a security context. > * I don't understand the note. I think it says: This latter behaviour > is sensible, since to allow security context establishment to succeed > in this case would be problematic absent any indication of whether > channel binding was used. Maybe? But I note that's also what this > document recommends later in §3, so I suspect I'm wrong. Nico, do you have comments here? > * There is no such indication in GSS-APIv2u1. Yes - specifying the behavior here is (in my view) more important than which way we specify it. > b) Empty Contexts > > It's a mystery to me why this is in this document. The rationale isn't > explained at all. It might be that this is obvious to anyone > indoctrinated into the dark art of GSS-API, which I'm certainly > not. But it's first mentioned in §1.1 as if it were a necessary > extension for addressing the problems described in §1. Is > GSS_Set_context_flags() always to be called with an empty context? Good point. It's valid to call with a non-empty context as I understand (maybe Nico can speak more on this?), but the important attribute is ret_flags_understood, which there isn't currently a way to convey. And then just doing it this particular way is based on how the Java bindings work (1.1). How about this for text in 1.1: The design for signalling application flag support and empty contexts is based on the Java Bindings of the GSS-API [RFC5653]. We introduce a new function GSS_Set_context_flags() for applications to instruct the GSSAPI implementation what flags they understand. However, since the understood flags information needs to be present before GSS_Init/Accept_sec_context() are called, we also introduce a notion of empty contexts, and begin introduction of additional context inquiry and mutation functions, which eventually will also allow for simplified stepping to replace the GSS_Init/Accept_sec_context() loop. > c) Typographical errors > > * §1, Page 2, "provides provides" (as noted before). > * §3, Page 7, "This strong sugestion" Agreed, will fix. > Further notes: > > I'm still confused about the outcome where the Initiator supports > channel bindings but does not support the flag, and the Acceptor does > not support channel bindings. In SCRAM, this case is special, and the > Initiator ends up passing a channel binding essentially saying it > could have done it if you'd asked. This allows an Acceptor to > determine if a downgrade attack were in effect or not. I have no clue > if this is common in GSS-API. Interesting. This doesn't sound like the kind of idiom we have elsewhere in GSSAPI (not that that's necessarily a bad thing) > In any case, if an Initiator is unable to know if the channel bindings > were used or not, I agree with the initial assessment that this is > problematic. On that basis, I'm uncomfortable with the suggestion > that an Acceptor SHOULD ignore the channel bindings and continue > anyway - but there are clear trade offs between interoperability and > security here. > > I would therefore suggest this recommendation is downgraded to OPTIONAL > (ie, a MAY), and the pros and cons spelt out clearly. We're talking about the third bullet in section 3, right? Whenever the initiator application has a) provided channel bindings to GSS_Init_sec_context(), and b) not indicated support for the ret_channel_bound_flag flag, then the mechanism SHOULD NOT fail to establish a security context just because the acceptor failed to provide channel bindings data. This strong sugestion is for interoperability purposes, and reflects actual implementations that have been deployed. The difference between SHOULD NOT / MAY NOT isn't particularly important to me; Nico, do you have feelings in this regard? Thanks, --Robbie
- [kitten] Review of draft-ietf-kitten-channel-boun… Dave Cridland
- Re: [kitten] Review of draft-ietf-kitten-channel-… Robbie Harwood
- Re: [kitten] Review of draft-ietf-kitten-channel-… Dave Cridland