[kitten] Review of draft-ietf-kitten-channel-bound-flag
Dave Cridland <dave@cridland.net> Fri, 08 February 2019 22:57 UTC
Return-Path: <dave@cridland.net>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBDD4131066 for <kitten@ietfa.amsl.com>; Fri, 8 Feb 2019 14:57:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cridland.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z8gsVypjlO85 for <kitten@ietfa.amsl.com>; Fri, 8 Feb 2019 14:57:05 -0800 (PST)
Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1179131069 for <kitten@ietf.org>; Fri, 8 Feb 2019 14:57:04 -0800 (PST)
Received: by mail-lf1-x131.google.com with SMTP id l142so3769762lfe.2 for <kitten@ietf.org>; Fri, 08 Feb 2019 14:57:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cridland.net; s=google; h=mime-version:from:date:message-id:subject:to; bh=DC5okGZXUGjBScb/4ZFXAvzx05K/Zy46v5GSsTbYobU=; b=elQYdWdxmu4uia1feXW1gJ8fByjJMeuOivC/bAQKssqhoYc5KePwEm2Puj3e6XL0+f EEGcXM5j5g783vvexIHfbDxhX391tB1k5kWUF20cGlPyHAI7nFDV4Ow7lsPETSAZLiJl m4m/pq125ZWt23dIelzbHipgBBeQTGKYMnMy0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=DC5okGZXUGjBScb/4ZFXAvzx05K/Zy46v5GSsTbYobU=; b=BiQqcMF1om2lNCQWAIHsQy72Hxtvrr1cAvS7VC2jzlnAGqp4uyarup4pzMXdYtw/ex iK+w5JD5K2jFMNb8TJtVBZE2p8sf1jVb2v/Qjk3W8+EiGxXr5n80mkTHOsnBbKz3VkkM U71P4xcGk4fP5UeOX7mF/8YfHp/nbpjD4Ee0n50J2+46X5I0U1alIGe/bwrBoB3wOk0n 5fhOd/2pe7nHkP3kQUa8OVKeWOdLpErK9mkW0YnmTJTYLc7XwzxndDz/oqwlru7oTbTy ha3EyA6TZjfuCUH1rKnd1ds/K2eSHbNxj+dR3WmiCq2qcEDx2CfUEmkFPDdz2/NA0jLW ulqw==
X-Gm-Message-State: AHQUAuYGX/mcDqkWBkwO5Ky6ety1lGKWw3ykAp2f8gh8YmERB09BU/pD WJh+Q4TuHvW8pSyzfuDfv+QcVvVGecJPhuQeDIcE6tdFFIQ=
X-Google-Smtp-Source: AHgI3IbfSUZCboXL2SVM6iqo6bSHOYZ1GGiwRxeFRzb4RHey/G7A9fk75Fn4wlDz7gHB38kph+cqOI1vLUI9LmMD5UY=
X-Received: by 2002:a19:200b:: with SMTP id g11mr14821051lfg.58.1549666622527; Fri, 08 Feb 2019 14:57:02 -0800 (PST)
MIME-Version: 1.0
From: Dave Cridland <dave@cridland.net>
Date: Fri, 08 Feb 2019 22:56:51 +0000
Message-ID: <CAKHUCzyjxJW3NHXb_2o2FQ_Efe5p1kY4wBMCvqmZmFWgE-hJaQ@mail.gmail.com>
To: kitten@ietf.org
Content-Type: multipart/alternative; boundary="0000000000008e744e058169e0cf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/LiM7OGdH1bjDHF46H-Zy5vNJvnE>
Subject: [kitten] Review of draft-ietf-kitten-channel-bound-flag
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Feb 2019 22:57:09 -0000
Hi all, Robbie asked me to look over the aforementioned draft, and so I did, and sent him the notes below. You'll be able to readily tell that I don't know GSS-API from a bar of soap, but I hope they're useful nonetheless. He asked me to send them to the list, so here they are. I realise, re-reading them, that I seem a little grumpy. The content still stands, I think, but the tone was not intended, sorry! -- a) General comment - I'm a native English speaker, and I find parsing the double-negative "not when the initiator provides none" incredibly hard. Is this necessary phrasing, or could this be changed to be a bit more readable? For example, at the beginning of page 2: However, GSS-APIv2u1 [RFC2743 <https://tools.ietf.org/html/rfc2743>] does not specify channel binding behavior when only one party provides provides none. In practice, some mechanisms (such as Kerberos [RFC4121 <https://tools.ietf.org/html/rfc4121>]) ignore channel bindings when the acceptor provides none, but not when the initiator provides none. Note that it would be useless to allow security context establishment to succeed when the initiator does not provide channel bindings but the acceptor does, at least as long as there's no outward indication of whether channel binding was used! Since the GSS-APIv2u1 does not provide any such indication, this document corrects that flaw. So, I understand from this: * There is undefined behaviour when only one party supports channel binding. I think. Note typo in the first sentence. * In practice, if an acceptor does not provide a channel binding, some mechanisms ignore channel bindings entirely, such as Kerberos. * Conversely, if the initiator does not provide channel bindings, but the acceptor does, channel bindings are typically not ignored. I have no idea what this means in practice - does authentication fail? I get that impression from the later paragraphs. * I don't understand the note. I think it says: This latter behaviour is sensible, since to allow security context establishment to succeed in this case would be problematic absent any indication of whether channel binding was used. Maybe? But I note that's also what this document recommends later in §3, so I suspect I'm wrong. * There is no such indication in GSS-APIv2u1. Is that right? b) Empty Contexts It's a mystery to me why this is in this document. The rationale isn't explained at all. It might be that this is obvious to anyone indoctrinated into the dark art of GSS-API, which I'm certainly not. But it's first mentioned in §1.1 as if it were a necessary extension for addressing the problems described in §1. Is GSS_Set_context_flags() always to be called with an empty context? c) Typographical errors * §1, Page 2, "provides provides" (as noted before). * §3, Page 7, "This strong sugestion" -- Further notes: I'm still confused about the outcome where the Initiator supports channel bindings but does not support the flag, and the Acceptor does not support channel bindings. In SCRAM, this case is special, and the Initiator ends up passing a channel binding essentially saying it could have done it if you'd asked. This allows an Acceptor to determine if a downgrade attack were in effect or not. I have no clue if this is common in GSS-API. In any case, if an Initiator is unable to know if the channel bindings were used or not, I agree with the initial assessment that this is problematic. On that basis, I'm uncomfortable with the suggestion that an Acceptor SHOULD ignore the channel bindings and continue anyway - but there are clear trade offs between interoperability and security here. I would therefore suggest this recommendation is downgraded to OPTIONAL (ie, a MAY), and the pros and cons spelt out clearly. Dave.
- [kitten] Review of draft-ietf-kitten-channel-boun… Dave Cridland
- Re: [kitten] Review of draft-ietf-kitten-channel-… Robbie Harwood
- Re: [kitten] Review of draft-ietf-kitten-channel-… Dave Cridland