Re: [kitten] draft-hansen-scram-sha256 and incorporating session hashing for channel binding
Tony Hansen <tony@att.com> Tue, 26 May 2015 22:24 UTC
Return-Path: <tony@att.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DAB61B323A for <kitten@ietfa.amsl.com>; Tue, 26 May 2015 15:24:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.789
X-Spam-Level:
X-Spam-Status: No, score=-1.789 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, MISSING_HEADERS=1.021, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tfGcAQzop6a3 for <kitten@ietfa.amsl.com>; Tue, 26 May 2015 15:24:23 -0700 (PDT)
Received: from nbfkord-smmo06.seg.att.com (nbfkord-smmo06.seg.att.com [209.65.160.94]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AAD5A1B3221 for <kitten@ietf.org>; Tue, 26 May 2015 15:24:22 -0700 (PDT)
Received: from unknown [144.160.229.23] (EHLO alpi154.enaf.aldc.att.com) by nbfkord-smmo06.seg.att.com(mxl_mta-7.2.4-5) over TLS secured channel with ESMTP id 692f4655.0.4899610.00-2056.13106110.nbfkord-smmo06.seg.att.com (envelope-from <tony@att.com>); Tue, 26 May 2015 22:24:22 +0000 (UTC)
X-MXL-Hash: 5564f2961f38413f-de34fe8819b7d9374ce746de2f28665ef83b1f9b
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id t4QMOLRj013398 for <kitten@ietf.org>; Tue, 26 May 2015 18:24:21 -0400
Received: from alpi131.aldc.att.com (alpi131.aldc.att.com [130.8.218.69]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id t4QMOG6g013353 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <kitten@ietf.org>; Tue, 26 May 2015 18:24:18 -0400
Received: from alpi153.aldc.att.com (alpi153.aldc.att.com [130.8.42.31]) by alpi131.aldc.att.com (RSA Interceptor) for <kitten@ietf.org>; Tue, 26 May 2015 22:24:04 GMT
Received: from aldc.att.com (localhost [127.0.0.1]) by alpi153.aldc.att.com (8.14.5/8.14.5) with ESMTP id t4QMO4EV021783 for <kitten@ietf.org>; Tue, 26 May 2015 18:24:04 -0400
Received: from mailgw1.maillennium.att.com (maillennium.att.com [135.25.114.99]) by alpi153.aldc.att.com (8.14.5/8.14.5) with ESMTP id t4QMNwhj021526 for <kitten@ietf.org>; Tue, 26 May 2015 18:24:00 -0400
Received: from flcdtd01bk9538.itservices.sbc.com (flcdtd01bk9538.itservices.sbc.com?[135.110.240.72](misconfigured sender)) by maillennium.att.com (mailgw1) with ESMTP id <20150526222358gw1000cec7e>; Tue, 26 May 2015 22:23:58 +0000
X-Originating-IP: [135.110.240.72]
Message-ID: <5564F27D.70109@att.com>
Date: Tue, 26 May 2015 18:23:57 -0400
From: Tony Hansen <tony@att.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
CC: "kitten@ietf.org" <kitten@ietf.org>
References: <54DC00D0.2050900@cs.tcd.ie> <54EC66FF.50603@cs.tcd.ie> <54ECABD8.3090902@att.com> <87zj82f1yj.fsf@latte.josefsson.org> <54F4B8B8.8090406@isode.com> <555FC6CF.5020306@att.com> <20150523162728.5b6b63cd@latte.josefsson.org>
In-Reply-To: <20150523162728.5b6b63cd@latte.josefsson.org>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="euk3u1TEbFRVwKhe8VIQvsjJLw2MmPBvX"
X-RSA-Inspected: yes
X-RSA-Classifications: public
X-AnalysisOut: [v=2.0 cv=DLg4FVxb c=1 sm=1 a=VXHOiMMwGAwA+y4G3/O+aw==:17 a]
X-AnalysisOut: [=9cW_t1CCXrUA:10 a=tHvJy1wsfNMA:10 a=Canz06MUmCAA:10 a=BLc]
X-AnalysisOut: [eEmwcHowA:10 a=zQP7CpKOAAAA:8 a=h1PgugrvaO0A:10 a=jwRGozL_]
X-AnalysisOut: [yhds8iGoRyoA:9 a=pILNOxqGKmIA:10 a=j4nzMFrpAAAA:8 a=ksZ6Tr]
X-AnalysisOut: [X1T2DVG6tTqZUA:9]
X-Spam: [F=0.2000000000; CM=0.500; S=0.200(2014051901)]
X-MAIL-FROM: <tony@att.com>
X-SOURCE-IP: [144.160.229.23]
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/R8g7WZrRHUSaGMOU0ZVcLyD2Nzw>
Subject: Re: [kitten] draft-hansen-scram-sha256 and incorporating session hashing for channel binding
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2015 22:24:24 -0000
On 5/23/15 10:27 AM, Simon Josefsson wrote: > ... > This text has nothing to do with the tls-session-hash issue? Sorry, it has the text I added because of earlier issues brought up within this thread. No, it doesn't address tls-session-hash. > If you don't want to ship a known insecure protocol, I believe the > options are to either include text similar to what I proposed above, > or to replace tls-unique with a secure TLS channel binding (e.g., > draft-josefsson-sasl-tls-cb). Shipping a known insecure protocol is > another option, but then you should add a security consideration > explaining that tls-unique is not secure without tls-session-hash and > that consistency with (the also insecure) RFC 5802 was deemed more > important security. Your suggested text is: "To be secure SCRAM-SHA-256-PLUS has to be used over a TLS channel that MUST have [TLS-SESSION-HASH] negotiated." You then go on to say: "Personally, I would prefer to change to another mandatory channel binding that is secure for all TLS versions." Given the other comments in this thread, I'm not sure the suggested text is the right thing to add. Tony Hansen
- [kitten] AD sponsoring draft-hansen-scram-sha256 Stephen Farrell
- Re: [kitten] AD sponsoring draft-hansen-scram-sha… Peter Saint-Andre - &yet
- Re: [kitten] AD sponsoring draft-hansen-scram-sha… Tony Hansen
- Re: [kitten] AD sponsoring draft-hansen-scram-sha… Peter Saint-Andre - &yet
- Re: [kitten] AD sponsoring draft-hansen-scram-sha… Simon Josefsson
- Re: [kitten] [saag] AD sponsoring draft-hansen-sc… Simon Josefsson
- Re: [kitten] [saag] AD sponsoring draft-hansen-sc… Alexey Melnikov
- Re: [kitten] [saag] AD sponsoring draft-hansen-sc… Dave Cridland
- Re: [kitten] AD sponsoring draft-hansen-scram-sha… Simon Josefsson
- Re: [kitten] [saag] AD sponsoring draft-hansen-sc… Martin Thomson
- Re: [kitten] [saag] AD sponsoring draft-hansen-sc… Sam Whited
- Re: [kitten] [saag] AD sponsoring draft-hansen-sc… Stephen Farrell
- Re: [kitten] [saag] AD sponsoring draft-hansen-sc… Tony Hansen
- Re: [kitten] [saag] AD sponsoring draft-hansen-sc… Tony Hansen
- [kitten] draft-hansen-scram-sha256 and the hash i… Tony Hansen
- [kitten] draft-hansen-scram-sha256 and incorporat… Tony Hansen
- Re: [kitten] draft-hansen-scram-sha256 and the ha… Dave Cridland
- Re: [kitten] draft-hansen-scram-sha256 and the ha… Alexey Melnikov
- Re: [kitten] draft-hansen-scram-sha256 and the ha… Tony Hansen
- Re: [kitten] draft-hansen-scram-sha256 and the ha… Simon Josefsson
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Simon Josefsson
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Alexey Melnikov
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Simon Josefsson
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Alexey Melnikov
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Tony Hansen
- Re: [kitten] [saag] AD sponsoring draft-hansen-sc… Karthikeyan Bhargavan
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Simon Josefsson
- Re: [kitten] [saag] AD sponsoring draft-hansen-sc… Simon Josefsson
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Nico Williams
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Nico Williams
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Simon Josefsson
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Simon Josefsson
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Stephen Farrell
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Nico Williams
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Tony Hansen
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Nico Williams
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Simon Josefsson
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Tony Hansen
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Nico Williams
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Simon Josefsson
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Simon Josefsson
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Nico Williams
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Tony Hansen